registry  /  thirdwebb  /  0.0.8

thirdwebb@0.0.8

A small, fast, easy-to-use library for arbitrary-precision decimal arithmetic

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6694 confirms this npm version as malicious. Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `thirdwebb` is a typosquat of the legitimate `thirdweb` package. It uses a side-loader technique, pulling in `log-taker` as a transitive dependency; the infostealer runs automatically via that dependency's `postinstall` hook...

Advisory
MAL-2026-6694
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in thirdwebb (npm)
Details
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `thirdwebb` is a typosquat of the legitimate `thirdweb` package. It uses a side-loader technique, pulling in `log-taker` as a transitive dependency; the infostealer runs automatically via that dependency's `postinstall` hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases, exfiltrating all data to the C2 domain `log-taker.store`. --- ## Source: amazon-inspector (fd284ad2cc38caeba0c1f2c87f8b11e61eb1581d1fdff3b71cd4b1f1402f3bc3) Package name 'thirdwebb' differs from the established 'thirdweb' SDK by a single trailing character, a classic typosquat shape against a popular Web3 SDK. No installer-harm behavior was observed in the package's code (no exfiltration, no install-time fetch-and-execute, no silent relay, no credential distribution). Name-similarity alone is a subjective signal that benefits from human assessment of intent before a public block is issued.
Decision reason
OpenSSF Malicious Packages via OSV confirms thirdwebb@0.0.8 as malicious (MAL-2026-6694): Malicious code in thirdwebb (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory