registry  /  eth-base  /  1.0.0

eth-base@1.0.0

A lightweight foundation library providing common utilities, helpers, types, constants, and shared functionality for building Ethereum and Web3 applications.

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10413 confirms this npm version as malicious. The published lib/index.js contains ~60KB of obfuscated JavaScript appended after a copy of the legitimate web3.js web3-core-subscriptions module...

Advisory
MAL-2026-10413
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eth-base (npm)
Details
The published lib/index.js contains ~60KB of obfuscated JavaScript appended after a copy of the legitimate web3.js web3-core-subscriptions module. On require(), the appended IIFE loads axios, issues an HTTPS request to a URL reconstructed at runtime from custom base-85 alphabets, and on a specific response constructs `new Function('require', <remote-token>)(require)` to execute attacker-supplied JavaScript in-process with full Node require access. The corresponding src/index.js is the clean upstream module, indicating the payload was injected only into the shipped build. The package name and description impersonate a web3.js helper (LGPL header still credits Fabian Vogelsteller <fabian@ethereum.org>) while the repository field is empty. Consumers who require this package receive arbitrary code execution on the installing host at load time.
Decision reason
OpenSSF Malicious Packages via OSV confirms eth-base@1.0.0 as malicious (MAL-2026-10413): Malicious code in eth-base (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory