{"id":"MAL-2026-3673","summary":"Malicious code in 3pool-sushibar (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5112bb2ea3570e56be6525c48ef026624f46dead693e78333696273c911c6c42)\nThis package is a dependency-chain dropper. package.json declares 15 undocumented dependencies in three numbered families (web3chain02032*, rusttool0701*, btc202523*) pinned to ^1.1.1, none of which appear in the README that describes a standalone Go miner. The bundled tranpack.sh proves the campaign: an infinite loop that rewrites package.json's name from a ~500-word crypto/DeFi wordlist and runs `npm publish`, and the current name `3pool-sushibar` is an output of that generator. The package itself is non-functional — the declared main entry index.js does not exist — confirming that its only purpose is to pull in attacker-controlled siblings. Two undocumented 22MB Windows.exe binaries with mismatched hashes further contradict the README's source-only build story. Running `npm install 3pool-sushibar` fetches 15 attacker-controlled packages whose code is one hop away from inspection here; this is direct installer harm via namespace-abuse plus typosquat lure.\n","modified":"2026-05-13T20:21:39.561171Z","published":"2026-05-12T07:42:21Z","database_specific":{"malicious-packages-origins":[{"sha256":"5112bb2ea3570e56be6525c48ef026624f46dead693e78333696273c911c6c42","versions":["1.0.0"],"id":"IN-MAL-2026-002166","source":"amazon-inspector","modified_time":"2026-05-12T19:03:07Z","import_time":"2026-05-13T20:10:52.155142725Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/3pool-sushibar/v/1.0.0"}],"affected":[{"package":{"name":"3pool-sushibar","ecosystem":"npm","purl":"pkg:npm/3pool-sushibar"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"3pool-sushibar-1.0.0.tgz","hashes":{"sha512_sri":"sha512-2gWpEcrZ1+7FlPh0r3MN3tz2dKxCjYZatJyM/zcA3PXTDO8+sWlUvT6wi0l3VrKvFsOhF5Ma3Df6po0IhyLuUA==","sha1":"0643af94cdd04282527e983bb73a8201c3195b68"}}],"evidence_files":[{"sha256":"c4378a5c3df23278db5252054add3d6a525f98fd747f5c1ee56a7415c4fd084c","path":"package.json","tlsh":"741103a1cf26cab30e9d25dc855d002df2618a278845f81d37d7564ccb1e6ab71b817d"},{"sha256":"73def82b6c52b14bd664007f99f7f469efd809fe99bc5297a77d17674e75459d","path":"tranpack.sh","tlsh":"8ed12f32f6414c3486ea03ee49650956f385c28bc389107cff4bbb8cab6ef5ad956614"},{"sha256":"3dbe880f08a8c880bdf647e11826acdc58198cd54a55b8c22402118b80c67423","path":"powerc20.exe","tlsh":"52273a42f65049eacaa98674c9aa4385b770fc405f26a7c72b05f63c3c737d89eb8354"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/3pool-sushibar/MAL-2026-3673.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}