registry  /  kecak256  /  1.0.0

kecak256@1.0.0

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5342 confirms this npm version as malicious. `kecak256` is a typosquat of the popular `keccak256` package (one `c` dropped) that ships a credential-stealing payload executed automatically on install.

Advisory
MAL-2026-5342
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in kecak256 (npm)
Details
`kecak256` is a typosquat of the popular `keccak256` package (one `c` dropped) that ships a credential-stealing payload executed automatically on install. The package spoofs the legitimate keccak256 project — author "Miguel Mota", matching description, README, and keywords — and includes a benign decoy hash implementation (`kecak256.js`) as `main`. `package.json` defines `scripts.postinstall`: `node init.m.js && echo DONE`, and declares `archiver`, `axios`, and `form-data` as runtime dependencies (the exfiltration toolchain). **init.m.js (launcher):** RC4 + base64 string obfuscation. On Windows it spawns a hidden PowerShell (`-WindowStyle Hidden -ExecutionPolicy Bypass`) that `Start-Process`-launches `upchk.m.js` under node; on other platforms it spawns `node upchk.m.js` detached (`{detached:true, windowsHide:true, stdio:'ignore'}`) and calls `child.unref()` to orphan the process. **upchk.m.js (stage 2, ~63 KB obfuscated):** performs an `isAdmin()` privilege check, targets browser/credential stores (observed string targets include Chrome `Login Data`, keystore, `cc_appkey`), archives collected data into `npmupdate.zip` via `archiver`, and exfiltrates it in 5 MB chunks via `axios` + `FormData` to a runtime-decoded C2 URL (`uploadFileChunks(file, sUrl, 5MB)`). --- ## Source: amazon-inspector (96b5e944a53a17f8f09fb68b1577592760eae7ff8da438663a3f4d6b1153db79) Package name `kecak256` is a single-character deletion of the widely-used `keccak256` package by Miguel Mota, and `package.json` sets `author.name` to 'Miguel Mota' — matching the legitimate package's maintainer identity. The code in `kecak256.js` is a verbatim copy of the legitimate keccak256 implementation: it exports a clean keccak256() function with no lifecycle scripts, no network I/O, no obfuscation, no credential reads, and no eval/exec. At this version the package is functionally benign, but the name-confusion shape combined with author impersonation is a supply-chain hygiene concern: developers who mistype `keccak256` resolve to this package, and the namespace is positioned for a future malicious update under an impersonated identity. Routing for human review since name-similarity judgments are subjective and no installer-harm payload is present in this version. ## Source: ghsa-malware (558c8dc29d2f864f51bea9c39fd8af25714a650a35d008d4142acd5c402a1b3c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms kecak256@1.0.0 as malicious (MAL-2026-5342): Malicious code in kecak256 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory