VYPR

npm · Malicious package advisory

Malware

@wrenfield/viem

MAL-2026-10571

Malicious code in @wrenfield/viem (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fa26048a977a00adcd1ffc42ccf06110e3807bb2a3145a01fd01318dcfe79771)
Package `@wrenfield/viem` impersonates the popular `viem` library (homepage viem.sh, repo wevm/viem); README and authors fields credit the real viem maintainers but the package itself is published under an unrelated `@wrenfield` scope. The shipped source under `_cjs/` mirrors viem's real code, but `package.json` rewrites the `abitype` dependency via npm alias: `"abitype": "npm:@wrenfield/abitype@1.2.4"`. The CommonJS entry `_cjs/index.js` calls `require("abitype")` at module load, so any installer who `require()`s or `import`s `@wrenfield/viem` transitively pulls and executes code from `@wrenfield/abitype@1.2.4` — a separate package under the same attacker-controlled scope, outside this tarball. The combination of brand impersonation of a top npm package plus a silent dependency redirect to an attacker-controlled namespace is the namespace-abuse / dependency-hijack pattern: the lure package looks legitimate on inspection, while the actual payload is delivered through the redirected dependency at first import.

Compromised versions (1)

  • 2.53.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.