VYPR

npm · Malicious package advisory

Malware

ts-bn-proto

MAL-2026-6695

Malicious code in ts-bn-proto (npm)

Details

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `ts-bn-proto` embeds an infostealer payload directly in `index.js` with a base64-encoded C2 address (`data-stream.space`), executed at install time via a `postinstall` hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates all data to the attacker-controlled C2.

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (815835f44f5257a8dda47ca05ec01f05d4f4ead35850358445a644639ab00dd5)
The package's index.js requires Node's child_process module and contains execSync calls that spawn bash and zsh (around lines 301 and 317). Without further trace evidence, the intent and reachability of these shell invocations cannot be confirmed — they may be benign tooling or a path to executing arbitrary commands on the installer's machine. Given the presence of shell execution primitives in the main module, manual review of index.js around the cited lines is warranted before allowing this package into a build environment.

Compromised versions (1)

  • 5.8.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.