npm · Malicious package advisory
Malwareeth-lib-utils
MAL-2026-10499
Malicious code in eth-lib-utils (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (13895e2e8ee4aa9683c2fd6f0f873a38b19bbc5af207233e22c51668bc7dba41)
Package eth-lib-utils@5.2.3 impersonates @ethereumjs/util / ethereumjs-util (README, author list, repository URL, and source tree copied from the legitimate package). The published Node build dist/index.js contains an unconditional `require("assertcore")` at module load that is absent from the TypeScript source src/index.ts and from the parallel dist.browser/index.js — the import was injected only into the shipped artifact. The required name `assertcore` is not declared in package.json; the declared dependency is the differently-named `assertcoreutils` (^2.3.2), an unrelated name shaped to look like an Ethereum companion package. The effect on a consumer that runs `require('eth-lib-utils')` in Node is to load whatever code is published under `assertcore` / `assertcoreutils` in the installer's process, while the package presents itself as a drop-in for a widely-used Ethereum utility. This is the standard typosquat-plus-transitive-dropper shape: the lure package looks like a clean re-export, the harmful code lives one resolution hop away in a name the installer never asked for.
Compromised versions (3)
- 5.2.3
- 5.2.5
- 5.2.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.