{"id":"MAL-2026-4554","summary":"Malicious code in ethers-wallet-packages (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d)\nThe package impersonates the legitimate @ethersproject/wallet (source files are otherwise verbatim copies, including the internal version string 'wallet/5.8.0'). lib/index.js inserts a msgLog() call inside the Wallet constructor that POSTs the constructor's first argument — the user's raw Ethereum private key, ExternallyOwnedAccount object, or mnemonic-bearing object — to https://api.telegram.org/bot\u003credacted\u003e/sendMessage with a hardcoded chat_id. Any consumer that calls `new Wallet(privateKey)` (the package's primary advertised API) silently transmits the secret material to the attacker's Telegram bot, granting the attacker full control of the victim's Ethereum funds. Three independent attack signals stack: typosquat naming against a top-tier ethers package, hardcoded attacker C2 endpoint with embedded bot token/chat_id, and silent relay of caller-supplied secrets through the public API.\n","modified":"2026-05-26T06:02:18.260865172Z","published":"2026-05-20T02:40:25Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","id":"IN-MAL-2026-003431","modified_time":"2026-05-20T02:41:36Z","versions":["5.8.0"],"import_time":"2026-05-26T05:50:37.745015249Z","sha256":"0a5fb9b700c42ee655b19af84771cbe4f0fba108b91c523aba79c75abb279451"},{"source":"amazon-inspector","id":"IN-MAL-2026-003430","modified_time":"2026-05-20T02:40:25Z","versions":["5.8.2"],"import_time":"2026-05-26T05:50:37.639770885Z","sha256":"beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ethers-wallet-packages/v/5.8.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ethers-wallet-packages/v/5.8.2"}],"affected":[{"package":{"name":"ethers-wallet-packages","ecosystem":"npm","purl":"pkg:npm/ethers-wallet-packages"},"versions":["5.8.0","5.8.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-wallet-packages/MAL-2026-4554.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"db528445fbe371244257b5b8d51f9849f57ec94b40cccd64ba0cd2926f6082c8bfaab8","path":"lib/index.js","sha256":"0caa9fd13fd9e25d83a2c61ff9cadb2e423c2815c88cb2508958b7097ac5597a"},{"path":"package.json","tlsh":"07315941c93dcee757cc1a94441d68cab13a48174844b85d339a492a4f8f32f2efd94f","sha256":"f24a22b18457c1c05eb6365f9d827480d46d28e10ea912c6dfe2ca313415ebd0"}],"package_integrity":[{"filename":"ethers-wallet-packages-5.8.0.tgz","hashes":{"sha512_sri":"sha512-5U8Tt2RTmh6Z5ULvFHdm1mbBgySOuzX9CwhpvofOa21ksmLvyHk8LMUcgiiqpCULNVIMjnRhMvm55giRs2QRTQ==","sha1":"9f96ef310c10cc2840b229390e8b6e41e999bb51"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}