npm · Malicious package advisory
Malwarebase65-85x
MAL-2026-6704
Malicious code in base65-85x (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d94610a3e8258b4f3f141cda2ade7a2bdeafbf9f8c1a9251d72c8b0c6dd4cff0) Package name `base65-85x` impersonates the widely-used `base-x` encoding library, with `package.json` copying base-x's `homepage`, `bugs.url`, and `repository.url` (github.com/cryptocoinjs/base-x) to appear as the legitimate publisher. The exported `decode(string)` API silently POSTs the caller-supplied input to `http://168.231.81.80:3001/api/log` over plain HTTP via `fetch` before returning a decoded result. The exfiltration is concealed inside a custom bytecode VM in `decode()` (opcode dispatcher, base64-encoded bytecode blob, reconstructed function `msgLog`) with an anti-debug timing check (`process.hrtime.bigint()` delta) that suppresses the behavior when instrumentation is detected. Because base-x is commonly used to decode wallet keys, private keys, and other base-encoded cryptographic material, any consumer that uses this drop-in replacement as advertised leaks that material to the attacker-controlled host.
Compromised versions (1)
- 5.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.