VYPR

npm · Malicious package advisory

Malware

web3-eth-utils

MAL-2026-6326

Malicious code in web3-eth-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4a262e70316cd74a87b043cd1985e456639781763d4a3ef69aa09d99a2795154)
Package name, README, repository URL, contributors, and module structure are copied from the legitimate '@ethereumjs/util' / 'ethereumjs-util' package, presenting itself as a drop-in for that widely-used Ethereum utility library. The compiled Node entry dist/index.js contains a side-effect-only `require("assertcore")` at line 60 (no symbols from the module are used), and assertcore is declared as a runtime dependency (^3.1.7) in package.json. This `require` is absent from the TypeScript source src/index.ts and from the browser bundle dist.browser/index.js — it was injected into the shipped Node bundle after the build, a deliberate smuggling pattern. Any consumer who installs web3-eth-utils believing it to be the real ethereumjs util package will pull assertcore into their dependency tree and execute its top-level code at every `require('web3-eth-utils')`, handing arbitrary install/require-time execution to the assertcore maintainer.

Compromised versions (1)

  • 6.2.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.