VYPR

npm · Malicious package advisory

Malware

crypt0co-walet-poc

MAL-2026-4540

Malicious code in crypt0co-walet-poc (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b5510d98b1e380f6c130bf9b4428321d711ae88d8a4fcb66368a2f6fb4e7ff58)
On require/import, index.js (lines 6-12) serializes the full process.env to /tmp/poc_impact.json and runs `whoami` and `ip addr` via execSync to fingerprint the host. Any consumer that imports this package leaks every environment variable available to the Node process — on CI and developer machines this routinely includes cloud credentials, npm/GitHub tokens, and other secrets — into a predictable, world-readable path in /tmp where any local user or subsequent process can read them. The package name `crypt0co-walet-poc` uses character substitutions (`0` for `o`, `walet` for `wallet`) consistent with impersonation of crypto-wallet packages, and the code self-labels as `CRITICAL IMPACT POC P0`. Author metadata fields (description, keywords, author) are empty. Even if the publisher's stated intent is bug-bounty research, the installer harm — full environment dump plus recon command execution at import time — is real and unconsented.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.