{"id":"MAL-2026-10571","summary":"Malicious code in @wrenfield/viem (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fa26048a977a00adcd1ffc42ccf06110e3807bb2a3145a01fd01318dcfe79771)\nPackage `@wrenfield/viem` impersonates the popular `viem` library (homepage viem.sh, repo wevm/viem); README and authors fields credit the real viem maintainers but the package itself is published under an unrelated `@wrenfield` scope. The shipped source under `_cjs/` mirrors viem's real code, but `package.json` rewrites the `abitype` dependency via npm alias: `\"abitype\": \"npm:@wrenfield/abitype@1.2.4\"`. The CommonJS entry `_cjs/index.js` calls `require(\"abitype\")` at module load, so any installer who `require()`s or `import`s `@wrenfield/viem` transitively pulls and executes code from `@wrenfield/abitype@1.2.4` — a separate package under the same attacker-controlled scope, outside this tarball. The combination of brand impersonation of a top npm package plus a silent dependency redirect to an attacker-controlled namespace is the namespace-abuse / dependency-hijack pattern: the lure package looks legitimate on inspection, while the actual payload is delivered through the redirected dependency at first import.\n","modified":"2026-07-14T07:19:24.744677483Z","published":"2026-07-14T06:17:33Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-14T06:49:57.129957893Z","modified_time":"2026-07-14T06:17:33Z","sha256":"fa26048a977a00adcd1ffc42ccf06110e3807bb2a3145a01fd01318dcfe79771","source":"amazon-inspector","versions":["2.53.4"],"id":"IN-MAL-2026-010485"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wrenfield/viem/v/2.53.4"}],"affected":[{"package":{"name":"@wrenfield/viem","ecosystem":"npm","purl":"pkg:npm/%40wrenfield/viem"},"versions":["2.53.4"],"database_specific":{"indicators":{"package_integrity":[{"filename":"viem-2.53.4.tgz","hashes":{"sha1":"0a34fa743fad354d6b7f8e1eee8b6ef05df19aef","sha512_sri":"sha512-go+1CFenlU6sWh/e8Xa5CuE98k8q/L9DsDR7OKy/4qNxmjXrAboses7tdX7mHYO5bANFO+zMlTGRyo7M8yKtPA=="}}],"evidence_files":[{"sha256":"8b462fed2b4fef789f286a79723b172bc028feaa1315cb9f174e87cf15335e3f","tlsh":"cde1af12d0e81ea31186b724eb5aaa56a0b24053cd647c9433ed403d8f9d99f43ffb5e","path":"package.json"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wrenfield/viem/MAL-2026-10571.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}