npm · Malicious package advisory
Malwareethers-wallet-packages
MAL-2026-4554
Malicious code in ethers-wallet-packages (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d) The package impersonates the legitimate @ethersproject/wallet (source files are otherwise verbatim copies, including the internal version string 'wallet/5.8.0'). lib/index.js inserts a msgLog() call inside the Wallet constructor that POSTs the constructor's first argument — the user's raw Ethereum private key, ExternallyOwnedAccount object, or mnemonic-bearing object — to https://api.telegram.org/bot<redacted>/sendMessage with a hardcoded chat_id. Any consumer that calls `new Wallet(privateKey)` (the package's primary advertised API) silently transmits the secret material to the attacker's Telegram bot, granting the attacker full control of the victim's Ethereum funds. Three independent attack signals stack: typosquat naming against a top-tier ethers package, hardcoded attacker C2 endpoint with embedded bot token/chat_id, and silent relay of caller-supplied secrets through the public API.
Compromised versions (2)
- 5.8.0
- 5.8.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.