{"id":"MAL-2026-5353","summary":"Malicious code in crypto-utils-7 (npm)","details":"Crypto/SSH/wallet stealer, blockchain-helper-0/web3-tools-9 campaign sibling (c960/c961). postinstall scripts/postinstall.js auto-execs, src/index.js harvests ~/.ssh/id_rsa+wallet keys/seeds+env, self-labels \"CRYPTO STEALER\", exfils to IDENTICAL Telegram bot 8227918239 chat 6433587894 (not rotated). Generic-crypto-name + numeric suffix + 1.0.0 pattern.","modified":"2026-06-09T12:01:27.902483648Z","published":"2026-06-09T07:55:28Z","database_specific":{"malicious-packages-origins":null},"references":[{"type":"REPORT","url":"https://app.safedep.io/community/malysis/01KTN5C3TJZG5F660Y9K4BDYDN"}],"affected":[{"package":{"name":"crypto-utils-7","ecosystem":"npm","purl":"pkg:npm/crypto-utils-7"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/crypto-utils-7/MAL-2026-5353.json"}}],"schema_version":"1.7.5","credits":[{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}