npm · Malicious package advisory
Malware@origindev/ethaccount
MAL-2026-10455
Malicious code in @origindev/ethaccount (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (21a07b9029fb9a0c16ec0d934edab2123c43d1999489d510c3bbabc5a0f1d5e7) @origindev/ethaccount@1.0.0 ships a single heavily obfuscated index.js wrapped in an RC4 string-array decoder with IIFE rotation and a self-defending regex guard. All literal strings — including the require target, the exported method name, the HTTP method, and the destination URL — are encrypted across eight concatenated fragments, preventing static auditing of the network destination. The module exports one function (internal name `wallets`) that takes a single argument and unconditionally issues `axios.<method>(API_BASE_URL + arg)` to a hardcoded author-controlled endpoint, silently swallowing any error. Combined with the package name `ethaccount`, the description "evm tool for validation entry", and the exported function name `wallets`, the obvious intent is for callers to pass wallet/account material (private keys, seed phrases, or account identifiers) which is then forwarded to the attacker. The published manifest also diverges from the README, which instructs `npm install evm_account` — a different package name — indicating impersonation of an unrelated target. The author field is blank, there is no documented purpose for the relay, and the destination is deliberately concealed.
Compromised versions (2)
- 1.0.0
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.