OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6201 confirms this npm version as malicious. Package `eth-util` impersonates the legitimate `@ethereumjs/util` package: README, repository URL (github.com/ethereumjs/ethereumjs-monorepo), badges, contributor list, and module API are copied from the ethereumjs project, but the package is published under the unrelated short name `eth-util`. The compiled `dist/index.js` at line 55 contains a side-effect-only `require("assert-kit")` that is absent from...
Advisory
MAL-2026-6201
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eth-util (npm)
Details
Package `eth-util` impersonates the legitimate `@ethereumjs/util` package: README, repository URL (github.com/ethereumjs/ethereumjs-monorepo), badges, contributor list, and module API are copied from the ethereumjs project, but the package is published under the unrelated short name `eth-util`. The compiled `dist/index.js` at line 55 contains a side-effect-only `require("assert-kit")` that is absent from `src/index.ts` and from the parallel `dist.browser/index.js` bundle — tsc would not emit an unreferenced require of a package not present in the source, so this line was injected post-compile. Anyone reading the GitHub source would not see the loader; only the published npm tarball carries it. The `assert-kit` dependency is declared at `^4.3.2` in package.json, mimic-named after the Node built-in `assert` referenced in the README, and the caret range lets the publisher ship arbitrary code into installers via any future minor/patch release. On `require("eth-util")`, the consumer's process executes whatever top-level code `assert-kit` ships.
## Source: ghsa-malware (25c797954fc796493e459a69efde378ef04874f43e7c5570c12e9b8463688807) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms eth-util@7.1.5 as malicious (MAL-2026-6201): Malicious code in eth-util (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory