OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10580 confirms this npm version as malicious. Package name typosquats the popular 'ethers' library. package.json declares a postinstall pointing at dist/index.min.js, whose sole top-level statement is eval(Buffer.from('<base64>','base64').toString()). The decoded payload enumerates installer secrets (env vars including PRIVATE_KEY, MNEMONIC, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, NPM_TOKEN; files including.env, ~/.aws/credentials, ~/.ssh/id_rsa, ~/.npmrc,...
Advisory
MAL-2026-10580
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ethers-core (npm)
Details
Package name typosquats the popular 'ethers' library. package.json declares a postinstall pointing at dist/index.min.js, whose sole top-level statement is eval(Buffer.from('<base64>','base64').toString()). The decoded payload enumerates installer secrets (env vars including PRIVATE_KEY, MNEMONIC, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, NPM_TOKEN; files including.env, ~/.aws/credentials, ~/.ssh/id_rsa, ~/.npmrc, wallet.json, keystore.json, seed.txt) and POSTs them to a hardcoded Telegram bot endpoint at api.telegram.org. Any 64-hex or WIF private key recovered is loaded into an ethers.Wallet, balance-checked against cloudflare-eth.com, and drained via sendTransaction to hardcoded attacker ETH/BTC addresses (ETH 0x72bC6c85847136..., BTC bc1qvg0vmlxf2ly248my69r2k6zut8s4q93j9mqvtf); BTC transactions are pushed via blockchain.info/pushtx. Persistence is established by appending 'node /tmp/sys-core.js &' to ~/.bashrc, ~/.zshrc, and ~/.profile, writing ~/.config/autostart/sys-core.desktop, and dropping /tmp/sys-core.js, which polls an attacker webhook via child_process.exec. A companion config/attacker-config.json ships the attacker's Telegram bot token, chat_id, wallet destinations, and target secret path/env-var list.
Decision reason
OpenSSF Malicious Packages via OSV confirms ethers-core@6.13.5 as malicious (MAL-2026-10580): Malicious code in ethers-core (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory