OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10552 confirms this npm version as malicious. On require(), index.js schedules a 37-second delayed routine that reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached via `node syncd.js`. The dropper installs OS-specific persistence to re-execute every 12 hours: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent at...
Advisory
MAL-2026-10552
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eth-dev (npm)
Details
On require(), index.js schedules a 37-second delayed routine that reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached via `node syncd.js`. The dropper installs OS-specific persistence to re-execute every 12 hours: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS. The decoded payload ('phantom syncd v3') walks the user's home directory matching filenames and contents against wallet/seed keywords (seed, mnemonic, recovery, wallet, private, metamask, phantom, ledger, trezor,...), pulls mutable configuration from a hardcoded GitHub Gist (juang55/b298754cb72942b1cdcf02ccd45cde2f), and uploads harvested material to Pinata IPFS using hardcoded API credentials embedded in the payload. Cover-story naming (keypairs.dat as a 'test fixture', com.apple.syncd, WinNodeSync) is used to mimic legitimate system services. The package presents itself as an Ethereum utilities library.
Decision reason
OpenSSF Malicious Packages via OSV confirms eth-dev@1.0.4 as malicious (MAL-2026-10552): Malicious code in eth-dev (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory