{"id":"MAL-2026-5357","summary":"Malicious code in farming-tools-12 (npm)","details":"Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+), same aicrypto-xzggg publisher and \"Core utilities for blockchain development\" description as swap-sdk-87/defi-tools-39. postinstall auto-execs, src/index.js harvests ~/.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels \"CRYPTO STEALER\", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated). Inflated version (4.68.54).\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1a40867051c796d19f9e375a3f07f7cb616aaaa75fb51d557ea7c1ae0fbbd790)\nOn install (postinstall hook requires src/index.js), the package enumerates installer-side secrets — ~/.ssh/id_rsa and id_ed25519, ~/.config/solana/id.json, Ethereum keystore files, Bitcoin wallet.dat, Tron/Sui/Aptos wallet files,.env, mnemonic.txt, seed.txt — and uploads each found file to api.telegram.org/bot\u003ctoken\u003e/sendDocument using a hardcoded bot token (8227918239:AAGE...) and chat_id (6433587894). Hostname and username are also sent in a message labeled 'CRYPTO STEALER' for victim attribution. Execution is gated by anti-analysis checks (CI=true, GITHUB_ACTIONS, JENKINS_HOME, NODE_ENV=test, usernames matching runner/sandbox/docker, 12-hex docker container hostnames) and delayed by setTimeout(7434) so it fires only on real developer machines. The author's own message label confirms malicious intent.\n","modified":"2026-06-11T01:31:29.949542399Z","published":"2026-06-09T07:55:46Z","database_specific":{"malicious-packages-origins":[{"sha256":"1a40867051c796d19f9e375a3f07f7cb616aaaa75fb51d557ea7c1ae0fbbd790","id":"IN-MAL-2026-005348","versions":["4.68.54"],"modified_time":"2026-06-11T01:20:48Z","source":"amazon-inspector","import_time":"2026-06-11T01:21:50.865998287Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/farming-tools-12/v/4.68.54"}],"affected":[{"package":{"name":"farming-tools-12","ecosystem":"npm","purl":"pkg:npm/farming-tools-12"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["4.68.54"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/farming-tools-12/MAL-2026-5357.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"b50403be9dd9f94f7af4795c1e346c9d27d5a18041a3044773238c4cdc1f4de4","tlsh":"fea173f50ef6b7108192e3a8524f60015476e1873c06ed65769c87987f8896ca2f2efd","path":"src/index.js"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-YHpMgitus8OzBQTRDB1bVYlQrPK1Rlvj5eFq6KCH31/WXN/LXBJZzm3bVM58+o48n+5xgqnIKHlCRFVBTXm8dw==","sha1":"20b3cffe633654b59cb0ea324803b58de04ab502"},"filename":"farming-tools-12-4.68.54.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}