{"id":"MAL-2026-5440","summary":"Malicious code in exodus-ethereum-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b4e52a42f8980da0a9df361ef772ca31bbdaec85eb3fc7a73dbcfc8b5ca6894a)\nPackage name impersonates the Exodus cryptocurrency wallet brand and ships no real functionality (src/index.js exports an empty object; package.json self-describes as a 'HackerOne PoC'). The package.json declares a postinstall hook (`node src/canary.js`) which fires automatically on `npm install`. src/canary.js performs a DNS lookup and HTTPS GET to a hardcoded `96e03fa6c292469a-172-245-86-254.serveousercontent.com` subdomain — Serveo is an anonymous reverse-tunnel service, so the destination is operator-controlled and not tied to any identifiable publisher. Each install reveals the installer's public IP and DNS resolver to whoever currently controls that tunnel. Combined with the brand-impersonating name (installers may pull this expecting a legitimate Exodus SDK), the package functions as an install-time beacon against unsuspecting installers regardless of the author's stated 'research' intent.\n","modified":"2026-06-09T18:01:29.764002784Z","published":"2026-06-09T17:44:04Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005108","versions":["99.0.0-canary.1"],"modified_time":"2026-06-09T17:44:05Z","source":"amazon-inspector","import_time":"2026-06-09T17:45:55.018154015Z","sha256":"25c8b4456182ead7b8240cb61979ed48aaea35af26ec1dc2f259d35e7da87673"},{"import_time":"2026-06-09T17:45:54.982173033Z","id":"IN-MAL-2026-005107","versions":["99.0.0-canary.1"],"source":"amazon-inspector","modified_time":"2026-06-09T17:44:04Z","sha256":"b4e52a42f8980da0a9df361ef772ca31bbdaec85eb3fc7a73dbcfc8b5ca6894a"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/exodus-ethereum-sdk/v/99.0.0-canary.1"}],"affected":[{"package":{"name":"exodus-ethereum-sdk","ecosystem":"npm","purl":"pkg:npm/exodus-ethereum-sdk"},"versions":["99.0.0-canary.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exodus-ethereum-sdk/MAL-2026-5440.json","indicators":{"evidence_files":[{"path":"src/canary.js","tlsh":"4ed022fe91c4080aa3a047ac841a60cab94bc9f8008485d2730c86d220c0aeea2ac238","sha256":"ef2b6f485b2532da51b9f5f82a44416947f1d965023718a03005da3a51a68b45"},{"tlsh":"40d09744882002333dc889f70ea2c08a02243c071220bc2ca3632444300cb774fb7210","path":"package.json","sha256":"f0682bf3cf01c653c485e39f4134abc441b6d547a31201815c691dc86115d304"}],"domains":["96e03fa6c292469a-172-245-86-254.serveousercontent.com"],"package_integrity":[{"hashes":{"sha1":"8dd97a66d13aea53e24d30188bddd69d28dde794","sha512_sri":"sha512-J9oxnPj08jPZ0izKQkTSBSMFQcAr3GUAdTnG+kSI9TuJZ/X1/tMhpPhs50xeyQ36esqtQHPzznDXTa6g4tgs9w=="},"filename":"exodus-ethereum-sdk-99.0.0-canary.1.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}