VYPR

npm · Malicious package advisory

Malware

exodus-checkout-signer

MAL-2026-5439

Malicious code in exodus-checkout-signer (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (921c5ef246587db452bdb65aae12321f4de868e7882f9550f9b9e32300ae792c)
exodus-checkout-signer is the unscoped name of the scoped package @exodus/checkout-signer and self-describes (in README and package.json) as a dependency-confusion proof-of-concept targeting installers who follow Exodus's documented install command and drop the scope. The package's main entry throws on require so any caller fails loudly, but on `npm install` the `postinstall` script unconditionally runs `node src/canary.js`, which performs a DNS lookup and an HTTPS GET to `96e03fa6c292469a-172-245-86-254.serveousercontent.com` — a Serveo SSH-tunneling endpoint with a raw IP (172.245.86.254) embedded in the subdomain — passing the package name and version as query parameters (`/canary-install?pkg=...&ver=...`). No installer secrets are exfiltrated, but every installation reveals the victim's source IP, timing, and corporate-network egress to an anonymous third-party tunnel operator that is not affiliated with the impersonated Exodus publisher. The combined name-confusion against a top-shelf wallet vendor's documented scope plus install-time beaconing to attacker-controllable infrastructure is a live supply-chain attack regardless of the author's stated 'research' intent.

Compromised versions (1)

  • 99.0.0-canary.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.