OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10135 confirms this npm version as malicious. theta-sdk-js@1.2.15 ships src/decrypt.js and src/providers/BaseProvider.js which together implement a hidden execution channel. On module load, decrypt.js reads two encrypted blobs (rsa.db, des.db) from node_modules/tchain-api/apps/docs/app/, DES-decrypts them using the hardcoded password 'hydra' via crypto-js, and returns the plaintext. Top-level IIFEs in src/providers/BaseProvider.js spawn detached `node` child...
Advisory
MAL-2026-10135
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in theta-sdk-js (npm)
Details
theta-sdk-js@1.2.15 ships src/decrypt.js and src/providers/BaseProvider.js which together implement a hidden execution channel. On module load, decrypt.js reads two encrypted blobs (rsa.db, des.db) from node_modules/tchain-api/apps/docs/app/, DES-decrypts them using the hardcoded password 'hydra' via crypto-js, and returns the plaintext. Top-level IIFEs in src/providers/BaseProvider.js spawn detached `node` child processes (`spawn('node', [], { detached: true, stdio: ['pipe','ignore','ignore'] })`), pipe the decrypted plaintext into stdin for execution, and call `unref()` so the child outlives the parent. The runtime dependency `tchain-api@^1.2.5` — declared in package.json — supplies the encrypted payload files, so `npm install theta-sdk-js` automatically stages the payload host. The distributed `dist/thetajs.cjs.js` (declared as `main`) is clean and does not contain this code; the dropper lives only in the src/ tree that is also shipped in the tarball, so consumers that import subpaths or use bundlers/tree-shakers that resolve src/index.js trigger the execution. Encrypting the payload in a sibling package with a hardcoded key, splitting the malicious code away from the declared entrypoint, and executing decoded plaintext in a detached child process are hallmarks of deliberate evasion, not legitimate SDK behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms theta-sdk-js@1.2.15 as malicious (MAL-2026-10135): Malicious code in theta-sdk-js (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory