VYPR

npm · Malicious package advisory

Malware

eth-base

MAL-2026-10413

Malicious code in eth-base (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bcc98bc680f3d0b8c6dcf396d9f2425a5153658259014384cedf82698413755b)
The published lib/index.js contains ~60KB of obfuscated JavaScript appended after a copy of the legitimate web3.js web3-core-subscriptions module. On require(), the appended IIFE loads axios, issues an HTTPS request to a URL reconstructed at runtime from custom base-85 alphabets, and on a specific response constructs `new Function('require', <remote-token>)(require)` to execute attacker-supplied JavaScript in-process with full Node require access. The corresponding src/index.js is the clean upstream module, indicating the payload was injected only into the shipped build. The package name and description impersonate a web3.js helper (LGPL header still credits Fabian Vogelsteller <fabian@ethereum.org>) while the repository field is empty. Consumers who require this package receive arbitrary code execution on the installing host at load time.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.