registry  /  chain-sdk-js  /  1.0.3

chain-sdk-js@1.0.3

JavaScript library for interacting with the Theta Blockchain

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10608 confirms this npm version as malicious. chain-sdk-js is a typosquat of @thetalabs/theta-js (package name, description, author 'Theta Labs', and bundle filenames thetajs.cjs.js/thetajs.umd.js all mimic the legitimate SDK). The package's main entry, executed on require/import in cjs, esm, and umd builds, DES-decrypts an opaque blob (`rsa.db`) loaded from the co-installed dependency `thedata` (^1.0.1) using the hardcoded password 'hydra', then spawns a...

Advisory
MAL-2026-10608
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chain-sdk-js (npm)
Details
chain-sdk-js is a typosquat of @thetalabs/theta-js (package name, description, author 'Theta Labs', and bundle filenames thetajs.cjs.js/thetajs.umd.js all mimic the legitimate SDK). The package's main entry, executed on require/import in cjs, esm, and umd builds, DES-decrypts an opaque blob (`rsa.db`) loaded from the co-installed dependency `thedata` (^1.0.1) using the hardcoded password 'hydra', then spawns a `node` child process and pipes the decrypted bytes into its stdin for execution (`child_process.spawn('node', [], {...}); rsa_exec.stdin.write(String(rsaDecrypted))`). Splitting the loader from the encrypted payload into a separately-published dependency (`node_modules/thedata/apps/docs/app/rsa.db` and `des.db`) hides the actual code that runs from static inspection of this tarball. The dist bundles also contain hardcoded POST/fetch call sites consistent with outbound network activity from the executed payload. Any consumer that installs and imports this package runs attacker-controlled code with the installer's privileges; the typosquat targets Theta blockchain developers who handle wallet and private-key material.
Decision reason
OpenSSF Malicious Packages via OSV confirms chain-sdk-js@1.0.3 as malicious (MAL-2026-10608): Malicious code in chain-sdk-js (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory