VYPR

npm · Malicious package advisory

Malware

eth-wallet-helpers

MAL-2026-10572

Malicious code in eth-wallet-helpers (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (517d465272a3a1d252e83e178bb263a1ccf600b42fed6d5aa1d110b9141fc77a)
On require of index.js, a delayed IIFE reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached under Node. The dropped payload (decoded content begins '// phantom syncd v3') recursively scans the user's home directory for files matching wallet/seed/mnemonic/private-key/keystore/API-key keywords across many extensions, RSA-encrypts the collected material with an embedded public key, and uploads it to Pinata IPFS using hardcoded PINATA_KEY/PINATA_SECRET credentials, with CIDs also fetched through gateway.pinata.cloud, ipfs.io, and cloudflare-ipfs.com. Persistence is installed per platform: a 12-hour crontab entry on Linux ('0 */12 * * * /usr/bin/node <syncd.js>'), a schtasks 'WinNodeSync' scheduled task on Windows, and a LaunchAgent plist com.apple.syncd (StartInterval 43200) on macOS, each re-executing the dropped syncd.js. The fixture-file cover name (test/fixtures/keypairs.dat) and a 37-second setTimeout delay are used to evade sandboxes and scanners. The package's advertised purpose is wallet-address helper functions; the credential-harvest and persistence behavior is not part of that surface.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.