{"id":"MAL-2026-3707","summary":"Malicious code in ethers-common (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9a7b953533124edcc31e4293ed6bffe010e9110d795f812ba432de8b81d4d558)\npackage.json declares a postinstall hook that base64-decodes the URL http://8.217.75.147:3000/payload, fetches it via curl over plain HTTP, and pipes the response directly into bash. This executes attacker-controlled code on every installer's machine at `npm install` time, with no integrity verification and an obfuscated (base64) destination. The package itself is a hollow lure: index.js exports an empty object, and the package name and description (\"Utilities for Web3/ethers development\") impersonate the well-known `ethers` Web3 library to bait installs. The combination of bare-IP C2, plain HTTP, base64-obfuscated URL, curl|bash dropper in a lifecycle hook, and an empty cover-story library is unambiguous supply-chain attack.\n\n## Source: ossf-package-analysis (48af3bdbd3b7966516ff3ab4baf1a946a38ce1735dc0c8fb41b2bc9abfa30449)\nThe OpenSSF Package Analysis project identified 'ethers-common' @ 1.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-15T07:53:09.429195Z","published":"2026-05-13T11:58:47Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-13T11:58:47Z","import_time":"2026-05-13T21:58:24.228904145Z","source":"ossf-package-analysis","sha256":"48af3bdbd3b7966516ff3ab4baf1a946a38ce1735dc0c8fb41b2bc9abfa30449","versions":["1.0.0"]},{"modified_time":"2026-05-13T12:00:47Z","import_time":"2026-05-13T21:58:24.971817131Z","source":"ossf-package-analysis","sha256":"9e00b24a32d5d4b92af87962a2fa77bc1f04e333744e353363356c1ba22f566e","versions":["2.0.0"]},{"modified_time":"2026-05-14T19:25:17Z","import_time":"2026-05-15T07:37:17.652338172Z","source":"amazon-inspector","sha256":"0b13b1ccfe277b0f90374ea218d61f0b9f61ddef086b2444a679913a6551ac21","versions":["1.0.0"],"id":"IN-MAL-2026-002710"},{"modified_time":"2026-05-15T03:08:28Z","import_time":"2026-05-15T07:37:20.144273474Z","source":"amazon-inspector","sha256":"9a7b953533124edcc31e4293ed6bffe010e9110d795f812ba432de8b81d4d558","versions":["1.0.0"],"id":"IN-MAL-2026-002807"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ethers-common/v/1.0.0"}],"affected":[{"package":{"name":"ethers-common","ecosystem":"npm","purl":"pkg:npm/ethers-common"},"versions":["1.0.0","2.0.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"34f0ab009b506ab328c49f920e1ea6cb6073891700587c54b38fa06d03dd7af14ff55e","sha256":"78c042ae0304ee61a00ec5eb1b5d7c64892b6aa61e3a388902439f6118193961","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-J9u5EDtc+Vh39s9ww94BquNv+4/m/BzKkuFjZBZPbnpAQSVioTcDVP+KBSMj+mOoa+9eTJbQ2KEROpN8TgXcJg==","sha1":"d6049be5c41b2bdde1f0a2429665b0386a9d1b55"},"filename":"ethers-common-1.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-common/MAL-2026-3707.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}