registry  /  console-fmt-cli  /  2.9.1

console-fmt-cli@2.9.1

Pretty console logger for Node.js CLI apps and services

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6688 confirms this npm version as malicious. Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `console-fmt-cli` uses a side-loader technique: it declares `decimal-format-core >=3.0` as a dependency, which contains a dropper that executes at install time via a `postinstall` hook. The dropper fetches a second-stage infostealer from a remote C2 (`logstream-api.online`) that harvests cryptocurrency wallet vaults (MetaMask,...

Advisory
MAL-2026-6688
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in console-fmt-cli (npm)
Details
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `console-fmt-cli` uses a side-loader technique: it declares `decimal-format-core >=3.0` as a dependency, which contains a dropper that executes at install time via a `postinstall` hook. The dropper fetches a second-stage infostealer from a remote C2 (`logstream-api.online`) that harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases. --- ## Source: amazon-inspector (62d4aa3c5f7523f4a10d37346a6eaa228940d76f797e13b6d2010385e81e4331) On every call to createLogger (the package's documented entrypoint), logger.js resolves the peer dependency decimal-format-core's private scripts/install-check.cjs path and invokes runRuntimeProjectSync() via setImmediate, wrapped in a try/catch that suppresses all errors. The README describes decimal-format-core as an optional formatting dependency, yet the logger unconditionally reaches into that dependency's internal scripts/ directory and executes a runtime function on ordinary library use. The trigger function is named queueRuntimeProjectSync and the invoked file is named install-check.cjs, both consistent with a cover story that hides script execution from the consumer. This package itself contains no exfiltration or network calls; its role is to act as a loader stub that shifts execution into decimal-format-core, whose install-check.cjs code determines the actual payload behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms console-fmt-cli@2.9.1 as malicious (MAL-2026-6688): Malicious code in console-fmt-cli (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory