{"id":"MAL-2026-10552","summary":"Malicious code in eth-dev (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (51f051957ac6f91e8567df873978b45c0c81a170f94decbd735d329f312ff1bb)\nOn require(), index.js schedules a 37-second delayed routine that reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached via `node syncd.js`. The dropper installs OS-specific persistence to re-execute every 12 hours: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS. The decoded payload ('phantom syncd v3') walks the user's home directory matching filenames and contents against wallet/seed keywords (seed, mnemonic, recovery, wallet, private, metamask, phantom, ledger, trezor,...), pulls mutable configuration from a hardcoded GitHub Gist (juang55/b298754cb72942b1cdcf02ccd45cde2f), and uploads harvested material to Pinata IPFS using hardcoded API credentials embedded in the payload. Cover-story naming (keypairs.dat as a 'test fixture', com.apple.syncd, WinNodeSync) is used to mimic legitimate system services. The package presents itself as an Ethereum utilities library.\n","modified":"2026-07-14T18:49:33.902190601Z","published":"2026-07-14T05:21:51Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-14T05:49:20.109573978Z","id":"IN-MAL-2026-010401","modified_time":"2026-07-14T05:22:02Z","versions":["1.0.1"],"source":"amazon-inspector","sha256":"51f051957ac6f91e8567df873978b45c0c81a170f94decbd735d329f312ff1bb"},{"id":"IN-MAL-2026-010400","modified_time":"2026-07-14T05:21:51Z","versions":["1.0.0"],"source":"amazon-inspector","sha256":"605cf5aa9087e75f5c626943f65433b80f003a8a5169b20ba00354e720f0d58f","import_time":"2026-07-14T05:49:19.946580212Z"},{"source":"amazon-inspector","sha256":"ed1b1d03321430ea28173c5a446904054fa9ea4410f41b6071c13765fae51572","import_time":"2026-07-14T05:49:20.218668085Z","id":"IN-MAL-2026-010402","modified_time":"2026-07-14T05:22:09Z","versions":["1.0.2"]},{"versions":["1.0.3"],"source":"amazon-inspector","sha256":"245d32980e6b9ac37750d52d24d81599a2fac0167c0a497ef560ead6685ebc45","import_time":"2026-07-14T13:35:50.490453733Z","id":"IN-MAL-2026-010507","modified_time":"2026-07-14T13:12:44Z"},{"sha256":"6f230c5d2abfbe1f677ce624fc24064c029ee717512f750713e2b5a7a8ab9186","import_time":"2026-07-14T18:28:26.941806079Z","id":"IN-MAL-2026-010535","modified_time":"2026-07-14T17:54:38Z","versions":["1.0.4"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/eth-dev/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/eth-dev/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/eth-dev/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/eth-dev/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/eth-dev/v/1.0.4"}],"affected":[{"package":{"name":"eth-dev","ecosystem":"npm","purl":"pkg:npm/eth-dev"},"versions":["1.0.1","1.0.0","1.0.2","1.0.3","1.0.4"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"eth-dev-1.0.1.tgz","hashes":{"sha1":"0d547f0524e466b2ad7bb55bed07d725d875d309","sha512_sri":"sha512-vFDWFoGsAFvKP44xx8rRD4q+Suc5F9jFCYGtzOEz34KjBfJ5jdyWIq2L56l/62/eJkuyNhbRAkr109sZuChLnQ=="}}],"evidence_files":[{"path":"index.js","sha256":"da511d1a5e37870776f5dec172aae6deed57d8377c272a3fa4b1d49168185026","tlsh":"7991844476e736a5197670f612ab881a70fda4c31258ee69799cd0c20f904348bfbfe8"},{"tlsh":"53920a22cd8f2d44df75f5872ace2ec7096c5bcaa4b25cce954b97cd844a16208fd0e9","path":"test/fixtures/keypairs.dat","sha256":"89893e61ef57050cb1129bcfc4c9d233d19ce9e6d1da06036ec9256c752a4863"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eth-dev/MAL-2026-10552.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}