npm · Malicious package advisory
Malwarebandkit
MAL-2026-4496
Malicious code in bandkit (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (687dcebaf30461a2325de226851b84abfb6db6359a12c9392ece9c5ff02a620d)
bandkit ships a React component (BandPanel) that, when rendered without an explicit strategyWalletAddress prop — the configuration shown in the package's own README — deploys a BandStrategy.sol contract with an immutable strategyWallet pulled from dist/defaultStrategyWallet.js. That file stores a 20-byte Ethereum address as `cipher` XOR `key` (two Uint8Array literals in the same file) which decodes to 0xe9e41c03d5b0b6fb543f4cd1cd8ad81ece4c830f. dist/useStrategyContractDeployment.js wires this in via `args: [options.strategyWalletAddress?? getDefaultStrategyWallet()]`. When end users of the installer's UI click 'Start Bot', BandStrategy.activateStrategyEngine() executes `(bool ok, ) = strategyWallet.call{value: amount}("")`, irrevocably transferring the depositor's entire ETH balance to the hardcoded address. The defaultStrategyWallet.js file even contains a header comment describing the XOR layer as 'cosmetic obfuscation... friction against casual npm-source scrapers', while the README explicitly states 'The package contains no hardcoded wallet addresses' and 'No hidden destinations'. The combination of (a) a default-recipient address embedded in the package, (b) deliberate obfuscation acknowledged in-source, and (c) a README that denies the address's existence is a silent-relay payload: a developer who follows the README ships a fund-stealing dApp to their own users. Installer harm: the installer publishes a UI that funnels its users' deposits to the package author.
Compromised versions (6)
- 1.0.7
- 1.0.9
- 1.0.10
- 1.0.11
- 1.0.16
- 1.0.14
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.