VYPR

npm · Malicious package advisory

Malware

@origindev/ethaccount

MAL-2026-10455

Malicious code in @origindev/ethaccount (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (21a07b9029fb9a0c16ec0d934edab2123c43d1999489d510c3bbabc5a0f1d5e7)
@origindev/ethaccount@1.0.0 ships a single heavily obfuscated index.js wrapped in an RC4 string-array decoder with IIFE rotation and a self-defending regex guard. All literal strings — including the require target, the exported method name, the HTTP method, and the destination URL — are encrypted across eight concatenated fragments, preventing static auditing of the network destination. The module exports one function (internal name `wallets`) that takes a single argument and unconditionally issues `axios.<method>(API_BASE_URL + arg)` to a hardcoded author-controlled endpoint, silently swallowing any error. Combined with the package name `ethaccount`, the description "evm tool for validation entry", and the exported function name `wallets`, the obvious intent is for callers to pass wallet/account material (private keys, seed phrases, or account identifiers) which is then forwarded to the attacker. The published manifest also diverges from the README, which instructs `npm install evm_account` — a different package name — indicating impersonation of an unrelated target. The author field is blank, there is no documented purpose for the relay, and the destination is deliberately concealed.

Compromised versions (2)

  • 1.0.0
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.