{"id":"MAL-2026-4540","summary":"Malicious code in crypt0co-walet-poc (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b5510d98b1e380f6c130bf9b4428321d711ae88d8a4fcb66368a2f6fb4e7ff58)\nOn require/import, index.js (lines 6-12) serializes the full process.env to /tmp/poc_impact.json and runs `whoami` and `ip addr` via execSync to fingerprint the host. Any consumer that imports this package leaks every environment variable available to the Node process — on CI and developer machines this routinely includes cloud credentials, npm/GitHub tokens, and other secrets — into a predictable, world-readable path in /tmp where any local user or subsequent process can read them. The package name `crypt0co-walet-poc` uses character substitutions (`0` for `o`, `walet` for `wallet`) consistent with impersonation of crypto-wallet packages, and the code self-labels as `CRITICAL IMPACT POC P0`. Author metadata fields (description, keywords, author) are empty. Even if the publisher's stated intent is bug-bounty research, the installer harm — full environment dump plus recon command execution at import time — is real and unconsented.\n","modified":"2026-05-26T06:02:25.931228346Z","published":"2026-05-21T22:33:52Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004052","modified_time":"2026-05-21T22:33:52Z","source":"amazon-inspector","sha256":"b5510d98b1e380f6c130bf9b4428321d711ae88d8a4fcb66368a2f6fb4e7ff58","import_time":"2026-05-26T05:51:50.776375939Z","versions":["1.0.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/crypt0co-walet-poc/v/1.0.0"}],"affected":[{"package":{"name":"crypt0co-walet-poc","ecosystem":"npm","purl":"pkg:npm/crypt0co-walet-poc"},"versions":["1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"crypt0co-walet-poc-1.0.0.tgz","hashes":{"sha1":"83cd2a016c6afac178f0f898d46bb83d0682b358","sha512_sri":"sha512-qo0lFEfOD54THH5e+5Q0++S/QWpnA9tJJ9Y+txCgpBr7z9iSKfiaAr7osd7jjhFotXP2b544sQSt+aczeaZckw=="}}],"evidence_files":[{"path":"index.js","sha256":"fdb1d3127b85d6bf3fde19d20d9c4630ca36dbd6865c5c57e0365fefb2e72ae7","tlsh":"281157650aa552b83cf100c27f4790622187ae633650e1e9712d97f25fc9988922a4ff"},{"path":"package.json","tlsh":"4ed0a7281eb2943315c052260d69d552b761df5f04547c0c63cf582c92efab769fa30d","sha256":"d6a4f7ebf805c21e69378d611c5080ddf5b3d92ac60d9c06c17a6ecd6c95d4d2"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/crypt0co-walet-poc/MAL-2026-4540.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}