OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10637 confirms this npm version as malicious. mc-reg advertises itself as a Cosmos chain-registry data package (README shows chain-registry-style `assets`/`chains`/`ibc` API), but its main and ESM entrypoints do not expose that data. Instead, index.js lazy-imports and re-exports `PartnerVaultHttpProvider` from an unrelated runtime dependency `chain-sdk-js`, and esm/index.js statically imports it — so `require('mc-reg')` or `import { chains } from 'mc-reg'`...
Advisory
MAL-2026-10637
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in mc-reg (npm)
Details
mc-reg advertises itself as a Cosmos chain-registry data package (README shows chain-registry-style `assets`/`chains`/`ibc` API), but its main and ESM entrypoints do not expose that data. Instead, index.js lazy-imports and re-exports `PartnerVaultHttpProvider` from an unrelated runtime dependency `chain-sdk-js`, and esm/index.js statically imports it — so `require('mc-reg')` or `import { chains } from 'mc-reg'` transparently pulls chain-sdk-js into the consumer's dependency tree. The pulled dependency's `persistence/chain.js` contains a wallet-secret interception + exfiltration pattern: a hardcoded destination reconstructed from a char-code array (`ping`/`ping`/`ping` decode-and-join sequence at lines 320-322 / 322-324) and POST calls (lines 118/204 and 120/206) that ship data to a non-caller-configured host, matching the shape of BIP-39 mnemonic / private-key theft from a wallet/signing path. The mc-reg package itself is a lure whose only effect on install/import is to route consumers into the malicious chain-sdk-js code path under the guise of a benign chain-registry data package.
Decision reason
OpenSSF Malicious Packages via OSV confirms mc-reg@1.0.3 as malicious (MAL-2026-10637): Malicious code in mc-reg (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory