OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10499 confirms this npm version as malicious. Package eth-lib-utils@5.2.3 impersonates @ethereumjs/util / ethereumjs-util (README, author list, repository URL, and source tree copied from the legitimate package). The published Node build dist/index.js contains an unconditional `require("assertcore")` at module load that is absent from the TypeScript source src/index.ts and from the parallel dist.browser/index.js — the import was injected only into the shipped...
Advisory
MAL-2026-10499
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eth-lib-utils (npm)
Details
Package eth-lib-utils@5.2.3 impersonates @ethereumjs/util / ethereumjs-util (README, author list, repository URL, and source tree copied from the legitimate package). The published Node build dist/index.js contains an unconditional `require("assertcore")` at module load that is absent from the TypeScript source src/index.ts and from the parallel dist.browser/index.js — the import was injected only into the shipped artifact. The required name `assertcore` is not declared in package.json; the declared dependency is the differently-named `assertcoreutils` (^2.3.2), an unrelated name shaped to look like an Ethereum companion package. The effect on a consumer that runs `require('eth-lib-utils')` in Node is to load whatever code is published under `assertcore` / `assertcoreutils` in the installer's process, while the package presents itself as a drop-in for a widely-used Ethereum utility. This is the standard typosquat-plus-transitive-dropper shape: the lure package looks like a clean re-export, the harmful code lives one resolution hop away in a name the installer never asked for.
Decision reason
OpenSSF Malicious Packages via OSV confirms eth-lib-utils@5.2.3 as malicious (MAL-2026-10499): Malicious code in eth-lib-utils (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory