{"id":"MAL-2026-10413","summary":"Malicious code in eth-base (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bcc98bc680f3d0b8c6dcf396d9f2425a5153658259014384cedf82698413755b)\nThe published lib/index.js contains ~60KB of obfuscated JavaScript appended after a copy of the legitimate web3.js web3-core-subscriptions module. On require(), the appended IIFE loads axios, issues an HTTPS request to a URL reconstructed at runtime from custom base-85 alphabets, and on a specific response constructs `new Function('require', \u003cremote-token\u003e)(require)` to execute attacker-supplied JavaScript in-process with full Node require access. The corresponding src/index.js is the clean upstream module, indicating the payload was injected only into the shipped build. The package name and description impersonate a web3.js helper (LGPL header still credits Fabian Vogelsteller \u003cfabian@ethereum.org\u003e) while the repository field is empty. Consumers who require this package receive arbitrary code execution on the installing host at load time.\n","modified":"2026-07-13T07:47:02.301212494Z","published":"2026-07-13T06:51:45Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-13T06:51:45Z","sha256":"bcc98bc680f3d0b8c6dcf396d9f2425a5153658259014384cedf82698413755b","import_time":"2026-07-13T07:40:12.175169146Z","source":"amazon-inspector","id":"IN-MAL-2026-009837","versions":["1.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/eth-base/v/1.0.0"}],"affected":[{"package":{"name":"eth-base","ecosystem":"npm","purl":"pkg:npm/eth-base"},"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"54638a4a59c7b017aa8091d9d8c4a1c5b692293bff8f391cfd44a24eef47d80d2fb095","path":"lib/index.js","sha256":"e10aff66d009d9c112131880ed749fd55105931698bf60005f7a69bb3201cbcd"},{"tlsh":"43016d38c8655cb305de62a6fc99454292b5520f0d18bc48339c62ac4f6d1df54fe79e","path":"package.json","sha256":"6e929f6afa0314788a5da0d125dd1f88ac530fea0cd31c9c6ae62ed4bf73a142"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-jiqLppgvoS7DKPtqxSqitcN5X8heh9/KsY9jRd8HJsjEl+3uWn8q1cWmjcMUxWj3286K1nP/2G688IE+tgeMmg==","sha1":"12e2dc0a3c9d53fb5bef37f3dde4d49ec1ece92d"},"filename":"eth-base-1.0.0.tgz"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eth-base/MAL-2026-10413.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}