npm · Malicious package advisory
Malwareexodus-wallet-core
MAL-2026-5443
Malicious code in exodus-wallet-core (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (53bf93b626689e980ef2e9c4ba33fd95e81d6a04c665f85908c8cf07b8b36e14) Package name impersonates the Exodus cryptocurrency wallet brand. package.json declares `"postinstall": "node src/canary.js"`, and src/canary.js performs a DNS lookup and HTTPS GET to a hardcoded Serveo reverse-tunnel host (`96e03fa6c292469a-172-245-86-254.serveousercontent.com/c`) on every `npm install`. Serveo (`serveousercontent.com`) is a reverse-SSH tunneling service frequently used to expose non-publisher hosts; this is not Exodus infrastructure. The callout leaks the installer's IP address and timing to the tunnel operator and demonstrates arbitrary install-time code execution on the installer's machine. Although the package self-describes as a HackerOne PoC canary, the technique is a live supply-chain attack pattern operating against any machine that installs it.
Compromised versions (1)
- 99.0.0-canary.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.