VYPR

npm · Malicious package advisory

Malware

eth-lib-utils

MAL-2026-10499

Malicious code in eth-lib-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (13895e2e8ee4aa9683c2fd6f0f873a38b19bbc5af207233e22c51668bc7dba41)
Package eth-lib-utils@5.2.3 impersonates @ethereumjs/util / ethereumjs-util (README, author list, repository URL, and source tree copied from the legitimate package). The published Node build dist/index.js contains an unconditional `require("assertcore")` at module load that is absent from the TypeScript source src/index.ts and from the parallel dist.browser/index.js — the import was injected only into the shipped artifact. The required name `assertcore` is not declared in package.json; the declared dependency is the differently-named `assertcoreutils` (^2.3.2), an unrelated name shaped to look like an Ethereum companion package. The effect on a consumer that runs `require('eth-lib-utils')` in Node is to load whatever code is published under `assertcore` / `assertcoreutils` in the installer's process, while the package presents itself as a drop-in for a widely-used Ethereum utility. This is the standard typosquat-plus-transitive-dropper shape: the lure package looks like a clean re-export, the harmful code lives one resolution hop away in a name the installer never asked for.

Compromised versions (3)

  • 5.2.3
  • 5.2.5
  • 5.2.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.