VYPR

npm · Malicious package advisory

Malware

wagmi_util

MAL-2026-6347

Malicious code in wagmi_util (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e44ca5f8da70044150618d34a591d8a6d72aa77a5e22eb30da3e86f4b74c76ef)
Package `wagmi_util` impersonates the popular `wagmi` package: it copies wagmi's tagline ("React Hooks for Ethereum"), re-exports wagmi's full React-hooks public API (WagmiProvider, useConnect, useWalletClient, useSignMessage, useSendTransaction, useWriteContract, etc.), and links to wagmi.sh in JSDoc — while being published by an unrelated author with no legitimate `wagmi_util` package existing under the wevm namespace. The package.json declares a runtime dependency on `sync-external@1.6.2`, but no source file in the package imports `sync-external`; every internal use of `useSyncExternalStoreWithSelector` imports the legitimate `use-sync-external-store/shim/with-selector.js` instead. Installing `wagmi_util` therefore silently pulls `sync-external@1.6.2` into the installer's dependency tree even though the wrapper's own code never loads it. The wrapper itself is clean re-exports of wagmi; the attack surface is the unused-but-pinned transitive, which a developer choosing a wagmi-adjacent utility would not expect to receive.

Compromised versions (1)

  • 3.6.19

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.