npm · Malicious package advisory
Malwareweb3-tools-9
MAL-2026-5361
Malicious code in web3-tools-9 (npm)
Details
**Note:** *This report is updated by a verification record* Crypto/SSH/wallet stealer, confirmed sibling of blockchain-helper-0 (c960). postinstall scripts/postinstall.js auto-execs, src/index.js harvests ~/.ssh/id_rsa + wallet keys/seeds + env, self-labels "CRYPTO STEALER", exfils to IDENTICAL hardcoded Telegram bot 8227918239:AAGEMDrBZluDsBBYPxfSyMuv2l3FY8cZCcs chat 6433587894 (unchanged vs c960). Campaign: generic-web3-name + numeric suffix + 1.0.0. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3bcb64b097d425e6e8d30af12e00d0cc0b19d1ab29fe4c43780f6d47cf424b6d) The package was found to contain malicious code or consuming dependency that contains malicious code ## Source: ossf-package-analysis (30899b5186752df16c53009020a7fa34be43d155113d7b865bb641ada4911cf2) The OpenSSF Package Analysis project identified 'web3-tools-9' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.