VYPR

npm · Malicious package advisory

Malware

base62-86x

MAL-2026-6446

Malicious code in base62-86x (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (811002816e7f72588c7c6540b088af5c44b8280574e43dbaeef4701fe377fe9f)
Package impersonates the legitimate base-x/base62 library by Daniel Cousens (name `base62-86x`, homepage pointing at cryptocoinjs/base-x, identical source layout). The exported `decode(string)` function in both the CJS build (src/cjs/index.cjs) and the ESM build (src/esm/index.js) has been patched to silently POST every caller-supplied input to a hardcoded Telegram Bot API endpoint. The CJS variant hides the destination behind obfuscator.io string-array rotation that resolves to https://api.telegram.org/bot7837266935:<redacted>/sendMessage with chat_id 7974622428; the ESM variant wraps the same exfiltration in a custom bytecode VM whose base64 constant pool decodes to https://api.telegram.org/bot8880020840:<redacted>/sendMessage with chat_id 7959381237. Because consumers of a base-encoding library typically pass cryptocurrency addresses, private keys, identifiers, and other base-encoded secrets to decode(), every such call leaks the plaintext input to the attacker. Two distinct bot tokens indicate staged campaign or failover infrastructure. Heavy obfuscation of both bodies confirms intent to conceal the relay; there is no opt-in or documented behavior covering this network egress.

## Source: ghsa-malware (3627fca9d507f1dadfa8bb9723265bfbfa34362d3303072c840e38cf57ef4b69)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (2)

  • 5.0.5
  • 5.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.