registry  /  crypto-hasher  /  3.1.3

crypto-hasher@3.1.3

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10666 confirms this npm version as malicious. crypto-hasher@3.1.3 impersonates the hash-wasm library. Its main entrypoint (dist/index.umd.js) injects code into the WASM Interface `update()` method so that any consumer hashing data containing the trigger string 'alicebob100' silently spawns a detached `node dist/hasher.umd.min.js alicebob100` child process. The spawned dist/hasher.umd.min.js connects to Ethereum Sepolia RPC endpoints (Infura, Alchemy) with...

Advisory
MAL-2026-10666
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in crypto-hasher (npm)
Details
crypto-hasher@3.1.3 impersonates the hash-wasm library. Its main entrypoint (dist/index.umd.js) injects code into the WASM Interface `update()` method so that any consumer hashing data containing the trigger string 'alicebob100' silently spawns a detached `node dist/hasher.umd.min.js alicebob100` child process. The spawned dist/hasher.umd.min.js connects to Ethereum Sepolia RPC endpoints (Infura, Alchemy) with base64-obfuscated URLs, reads encrypted material and a password from a smart contract via ABI methods (getCwPrivatePublic, getSPubKey, getPWD, getTData1, setCPubKey), performs X25519 ECDH against a hardcoded peer public key followed by PBKDF2/AES-GCM decryption to recover a wallet private key, and exfiltrates host reconnaissance (platform, release, arch, hostname, cpus, memory, uptime) to Slack (chat.postMessage with a hardcoded Bearer token and channel id) and Telegram (api.telegram.org/bot<token>/sendMessage with a hardcoded chat id). A second component, dist/hmac.min.js, is spawned with a derived key and polls Slack conversations.history every 10 seconds; JSON chunk messages posted by a specific operator user id are reassembled, AES-GCM/PBKDF2-decrypted, written to disk, chmod 0755, and executed under the installer's Node runtime — a persistent remote code execution backdoor. An 'exitexitexit' command deletes hasher.umd.min.js, hmac.min.js, and edits LICENSE (splice at line 355) as anti-forensics. Destinations, tokens, and the peer public key are hidden with obfuscator.io-style string-array rotation and base64 wrapping. ## Source: ghsa-malware (375e93abc29932ca708e13a1d4bc4f7da55895d901011fb5b15303ef21cf9e95) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms crypto-hasher@3.1.3 as malicious (MAL-2026-10666): Malicious code in crypto-hasher (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory