{"id":"MAL-2026-5443","summary":"Malicious code in exodus-wallet-core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (53bf93b626689e980ef2e9c4ba33fd95e81d6a04c665f85908c8cf07b8b36e14)\nPackage name impersonates the Exodus cryptocurrency wallet brand. package.json declares `\"postinstall\": \"node src/canary.js\"`, and src/canary.js performs a DNS lookup and HTTPS GET to a hardcoded Serveo reverse-tunnel host (`96e03fa6c292469a-172-245-86-254.serveousercontent.com/c`) on every `npm install`. Serveo (`serveousercontent.com`) is a reverse-SSH tunneling service frequently used to expose non-publisher hosts; this is not Exodus infrastructure. The callout leaks the installer's IP address and timing to the tunnel operator and demonstrates arbitrary install-time code execution on the installer's machine. Although the package self-describes as a HackerOne PoC canary, the technique is a live supply-chain attack pattern operating against any machine that installs it.\n","modified":"2026-06-09T18:01:36.162492362Z","published":"2026-06-09T17:44:29Z","database_specific":{"malicious-packages-origins":[{"sha256":"1ba93766fbae4c48460e40e317bf64f68251047d20cf43e4583db8d6be616bc8","source":"amazon-inspector","id":"IN-MAL-2026-005114","import_time":"2026-06-09T17:45:55.277187778Z","modified_time":"2026-06-09T17:44:29Z","versions":["99.0.0-canary.1"]},{"versions":["99.0.0-canary.1"],"source":"amazon-inspector","sha256":"53bf93b626689e980ef2e9c4ba33fd95e81d6a04c665f85908c8cf07b8b36e14","import_time":"2026-06-09T17:45:55.242015674Z","modified_time":"2026-06-09T17:44:29Z","id":"IN-MAL-2026-005113"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/exodus-wallet-core/v/99.0.0-canary.1"}],"affected":[{"package":{"name":"exodus-wallet-core","ecosystem":"npm","purl":"pkg:npm/exodus-wallet-core"},"versions":["99.0.0-canary.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exodus-wallet-core/MAL-2026-5443.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-yCS1BZyZZYVIzGCYOgZkXrPDtCmpN2pBQgX/h/ukzc01m4nGYVZLMSee37C3HHZoSSfpIEoopIGyFNWQeYWhxw==","sha1":"aafe57861e08a477d866d5eee997e8f98f08b056"},"filename":"exodus-wallet-core-99.0.0-canary.1.tgz"}],"domains":["96e03fa6c292469a-172-245-86-254.serveousercontent.com"],"evidence_files":[{"path":"src/canary.js","tlsh":"4ed022fe91c4080aa3a047ac841a60cab94bc9f8008485d2730c86d220c0aeea2ac238","sha256":"ef2b6f485b2532da51b9f5f82a44416947f1d965023718a03005da3a51a68b45"},{"path":"package.json","tlsh":"c6d09708982042233cc88ae70ea2c0ca01242c031260bc2893a31404310cb770fb3140","sha256":"5ec01a1a499f3a403d991389af2af512ce196ac16c4c054d73e5db184e8a88f3"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}