VYPR

npm · Malicious package advisory

Malware

cb-wallet-http

MAL-2026-4507

Malicious code in cb-wallet-http (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e8d704c0a6a48da0e2fef8eddcd1f98e7d380c3e19f22753f3df51d9893f60ce)
Package name mimics Coinbase's internal `cb-wallet-*` namespace to capture dependency-confusion resolutions. On `npm install` (postinstall.js) and on `require('cb-wallet-http')` (index.js), the package issues an HTTPS GET to the hardcoded endpoint `https://icy-cell-fb53.gh0stfqce25.workers.dev/poc`, transmitting the package name and Node.js runtime version to a third-party Cloudflare Workers domain registered under a personal handle (`gh0stfqce25.workers.dev`) unrelated to Coinbase. The package's own description self-identifies as a 'RESERVED PLACEHOLDER — coordinated security-research namespace claim' with the repository `github.com/gh0stfqce/npm-namespace-claims`. Regardless of the author's stated research intent, any organization that installs this package via misconfigured registry resolution leaks host/build-topology identifiers to the operator of the worker without consent, fingerprinting which builds are vulnerable to dependency confusion against Coinbase's namespace.

Compromised versions (1)

  • 0.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.