registry  /  decimal-format-core  /  3.5.3

decimal-format-core@3.5.3

Logform-style numeric and text formatting utilities for Node.js loggers

OSV Malicious Advisory

scanned 8d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6689 confirms this npm version as malicious. Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `decimal-format-core` uses a dropper technique: a `postinstall` hook executes `scripts/install-check.cjs` at install time, which fetches a second-stage infostealer payload from the C2 domain `logstream-api.online`...

Advisory
MAL-2026-6689
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in decimal-format-core (npm)
Details
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `decimal-format-core` uses a dropper technique: a `postinstall` hook executes `scripts/install-check.cjs` at install time, which fetches a second-stage infostealer payload from the C2 domain `logstream-api.online`. The infostealer harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), Chrome/Firefox/Brave cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases, then exfiltrates the data to the attacker-controlled server. --- ## Source: amazon-inspector (41dcb1eea736b0aba6c078a55b8b60553925e6981452e5c4f56e57e419801f87) On npm install, the package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://logstream-api.online/config/dfc-sync.json, reads a peerBundle URL from it, downloads a tarball to a temp directory, extracts it into a.peer/ directory, runs `npm install` inside the extracted tree, then require()s the extracted peer-math.js module and invokes syncSession(). The fetched payload is not pinned, hashed, or signature-verified, and the source host is fully attacker-controlled and mutable. This executes arbitrary remote code in the installer's context as a default consequence of `npm install`. The package presents itself with description 'Logform-style numeric and text formatting utilities for Node.js loggers' and keywords (logform, logger, format) that target users searching for the legitimate logform logging library, while the README frames the remote fetch-and-exec as a benign 'Enterprise sync / peer bundle' feature; the path runs by default with no opt-in because resolvePeerBundleUrl falls through to the hardcoded homepage URL when env vars are unset.
Decision reason
OpenSSF Malicious Packages via OSV confirms decimal-format-core@3.5.3 as malicious (MAL-2026-6689): Malicious code in decimal-format-core (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory