VYPR

npm · Malicious package advisory

Malware

cb-wallet-data

MAL-2026-4506

Malicious code in cb-wallet-data (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9d076ee3d487c7c10f785494c4391e39eb327b696224d5653746144fa5ac8d37)
Package name 'cb-wallet-data' targets a presumed Coinbase-internal namespace and is published by an unaffiliated party. Both postinstall.js (npm install lifecycle hook) and index.js (main, runs on require) issue an unconditional HTTPS GET to https://icy-cell-fb53.gh0stfqce25.workers.dev/poc carrying the package name and installer Node.js runtime version as query parameters. Any developer or build system whose package manager misroutes the internal name 'cb-wallet-data' to the public npm registry will silently transmit the existence of that internal name plus their Node version to a third-party Cloudflare Workers endpoint without consent. While the payload is narrow (no credential or environment scraping), the channel is a confirmed install-time and import-time beacon to attacker/researcher-controlled infrastructure, exposing internal namespace and toolchain metadata that itself is sensitive supply-chain reconnaissance data.

Compromised versions (1)

  • 0.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.