OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6688 confirms this npm version as malicious. Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `console-fmt-cli` uses a side-loader technique: it declares `decimal-format-core >=3.0` as a dependency, which contains a dropper that executes at install time via a `postinstall` hook. The dropper fetches a second-stage infostealer from a remote C2 (`logstream-api.online`) that harvests cryptocurrency wallet vaults (MetaMask,...
Advisory
MAL-2026-6688
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in console-fmt-cli (npm)
Details
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `console-fmt-cli` uses a side-loader technique: it declares `decimal-format-core >=3.0` as a dependency, which contains a dropper that executes at install time via a `postinstall` hook. The dropper fetches a second-stage infostealer from a remote C2 (`logstream-api.online`) that harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases.
---
## Source: amazon-inspector (7ccb50e741119fa832c2a87e47315cb08f14f9dfe5422bba40aa7788b2aab7de) The package was found to contain malicious code or consuming dependency that contains malicious code
Decision reason
OpenSSF Malicious Packages via OSV confirms console-fmt-cli@2.1.0 as malicious (MAL-2026-6688): Malicious code in console-fmt-cli (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory