npm · Malicious package advisory
Malwarecb-wallet-data
MAL-2026-4506
Malicious code in cb-wallet-data (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9d076ee3d487c7c10f785494c4391e39eb327b696224d5653746144fa5ac8d37) Package name 'cb-wallet-data' targets a presumed Coinbase-internal namespace and is published by an unaffiliated party. Both postinstall.js (npm install lifecycle hook) and index.js (main, runs on require) issue an unconditional HTTPS GET to https://icy-cell-fb53.gh0stfqce25.workers.dev/poc carrying the package name and installer Node.js runtime version as query parameters. Any developer or build system whose package manager misroutes the internal name 'cb-wallet-data' to the public npm registry will silently transmit the existence of that internal name plus their Node version to a third-party Cloudflare Workers endpoint without consent. While the payload is narrow (no credential or environment scraping), the channel is a confirmed install-time and import-time beacon to attacker/researcher-controlled infrastructure, exposing internal namespace and toolchain metadata that itself is sensitive supply-chain reconnaissance data.
Compromised versions (1)
- 0.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.