{"id":"MAL-2026-3719","summary":"Malicious code in web3-core-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (46f9612aaab12b9656a1f1b5fbd7684fdcd57833bbf76d14b2a243f679cb0977)\npackage.json declares a lifecycle hook that invokes require('child_process') and execSync with a curl command at install time. This pattern fetches remote content and executes it on the installer's machine as part of `npm install`, before any user code runs. The package name mimics the widely-used web3/web3-core ecosystem while shipping only a lifecycle trigger for remote execution — no library code consistent with the claimed web3 purpose is present. Running `npm install web3-core-js` on any developer or CI machine results in arbitrary attacker-controlled bytes being fetched and executed with the privileges of the installing user.\n\n## Source: ossf-package-analysis (44e1f40536600c94540b0fd722439856b2f118f6090709db7461f5aa06fc2fb4)\nThe OpenSSF Package Analysis project identified 'web3-core-js' @ 2.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-15T07:51:48.715022Z","published":"2026-05-13T11:51:32Z","database_specific":{"malicious-packages-origins":[{"versions":["2.0.0"],"source":"ossf-package-analysis","sha256":"44e1f40536600c94540b0fd722439856b2f118f6090709db7461f5aa06fc2fb4","modified_time":"2026-05-13T12:10:45Z","import_time":"2026-05-13T21:58:23.286634175Z"},{"versions":["1.0.0"],"source":"ossf-package-analysis","sha256":"c0a95589cd0b99b71ac59651cbd59198745377c7812ab23b040f6cb5d8e57710","modified_time":"2026-05-13T11:51:32Z","import_time":"2026-05-13T21:58:23.870373359Z"},{"source":"amazon-inspector","versions":["1.0.0"],"id":"IN-MAL-2026-002722","sha256":"46f9612aaab12b9656a1f1b5fbd7684fdcd57833bbf76d14b2a243f679cb0977","modified_time":"2026-05-14T19:25:25Z","import_time":"2026-05-15T07:37:18.083758968Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/web3-core-js/v/1.0.0"}],"affected":[{"package":{"name":"web3-core-js","ecosystem":"npm","purl":"pkg:npm/web3-core-js"},"versions":["2.0.0","1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"faf0dc14bf105ab328c19e660a179ace5277c90b40647c58b29fa05c43dcbab14fba5a","path":"package.json","sha256":"98eb7c4c2c264f51ed009e166ac42759ba3f12ae963a217346de9d542cacb24f"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-LKgvmDuz75CrI7g7kNhQnYFEjVqXUoeEm7nNUeRxjsnBozTBJFsVOeZKTrNb7Zz2VTkTcD8QPkPNK30LODPEVg==","sha1":"9b708127c55085dcceecd0b74d78b0fca4e3de1c"},"filename":"web3-core-js-1.0.0.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web3-core-js/MAL-2026-3719.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}