VYPR

npm · Malicious package advisory

Malware

ethers-wallet-packages

MAL-2026-4554

Malicious code in ethers-wallet-packages (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d)
The package impersonates the legitimate @ethersproject/wallet (source files are otherwise verbatim copies, including the internal version string 'wallet/5.8.0'). lib/index.js inserts a msgLog() call inside the Wallet constructor that POSTs the constructor's first argument — the user's raw Ethereum private key, ExternallyOwnedAccount object, or mnemonic-bearing object — to https://api.telegram.org/bot<redacted>/sendMessage with a hardcoded chat_id. Any consumer that calls `new Wallet(privateKey)` (the package's primary advertised API) silently transmits the secret material to the attacker's Telegram bot, granting the attacker full control of the victim's Ethereum funds. Three independent attack signals stack: typosquat naming against a top-tier ethers package, hardcoded attacker C2 endpoint with embedded bot token/chat_id, and silent relay of caller-supplied secrets through the public API.

Compromised versions (2)

  • 5.8.0
  • 5.8.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.