VYPR

npm · Malicious package advisory

Malware

ethers-multicall-utils

MAL-2026-4240

Malicious code in ethers-multicall-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fe5e969b4ca41dbbd6ef1c04c12d48906ea4477b39493e766045effd4939d748)
On `npm install`, the package's `postinstall` script spawns `node -e` to run an inline `child_process.execSync` that curls a binary from `rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link/npm/-/binary/telemetry`, saves it to the hidden path `/tmp/.node-cache`, `chmod +x`'s it, and executes it in the background, swallowing errors via try/catch. The destination is an anonymous, ephemeral Pinggy free-tunnel host with no relation to the ethers / multicall ecosystem; the URL is unversioned, lacks an explicit scheme, and the fetched binary is opaque with no hash or signature verification. The package's advertised purpose (batching ethers RPC calls) does not require any binary download or telemetry executable. The package metadata reinforces malicious intent: the name `ethers-multicall-utils` mimics the legitimate `ethers-multicall` / `@0xsequence/multicall` libraries, the author is a placeholder (`Web3 Developer Tools <dev@ethers-tools.dev>`), and the declared repository `github.com/ethers/ethers-multicall-utils` does not exist. Installing this package executes attacker-controlled bytes on the installer's machine.

## Source: ghsa-malware (c53a0db99f667c745b204d69826c00088b437fd873a9cdf32e417334d801755c)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (1)

  • 1.3.15

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.