npm · Malicious package advisory
Malwarets-einkle
MAL-2026-6524
Malicious code in ts-einkle (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (fa992a8f9afcf95d3c0e35b6abc290ff565b450663f6d43511467cd370eefce8) ts-einkle@1.1.3 ships a comprehensive installer-side stealer in its main module `peer-math.js`. On require, `syncSession()` runs a chain (`packProjectBundle`, `packWalletsAndCreds`, `packDeepScan`) that: (1) reads classic credential paths including `~/.ssh`, `~/.aws`, `~/.gnupg`, `~/.npmrc`, `~/.pypirc`, `~/.docker/config.json`, `~/.git-credentials`, and `~/.config/gh/hosts.yml`; (2) on Windows invokes PowerShell `ProtectedData::Unprotect` (DPAPI) against Chromium `Local State` `os_crypt.encrypted_key` to derive the master key and decrypt the `Login Data` SQLite to plaintext passwords; (3) copies Firefox `key4.db`/`logins.json`, Bitwarden `data.json`, KeePass `.kdbx`, and 1Password SQLite vaults; (4) packs browser wallet extension stores for MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, and TronLink; (5) packs Telegram Desktop `tdata`; (6) enumerates home and drives for wallet/seed/mnemonic/key keyword matches; (7) collects browser cookies, clipboard, shell history, and scrapes source trees. Captured data is POSTed to `https://datasecure-service.vercel.app/api/v1` (overridable via `PSM_API_URL`). `package.json` declares `"postinstall": "node test.js"`, so installation is intended to auto-trigger the chain. Cover-story labels (functions renamed `from_str_1..17`, sentinel files named `data-backup-upload-*.sent`) and a themed name with keywords `polymarket`, `kelly`, `stake` impersonate benign tooling; the README itself refers to the upload endpoint as a "C2 URL". ## Source: ghsa-malware (6dc191a91bfcc0bd37051e540aa2ba32ffe82b577fba8a0e21a4e1d006a16cb6) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (4)
- 1.0.9
- 1.1.2
- 1.1.0
- 1.1.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.