{"id":"MAL-2026-6192","summary":"Malicious code in nodepathbalance54 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d5ade836e7f92049242a01dbc0782900900c4e28eb7e08f9d9ebc611aab80762)\nnodepathbalance54 exports a single function (`nodeaxionweb`) whose implementation is hidden inside a hand-rolled stack-based JavaScript VM in index.js (functions iL/iw with ~200 opcodes, base64-encoded bytecode chunks in array S). Decoding the VM's constant pool reveals a hardcoded Telegram bot token (8604230339:AAE0jcxBc1QC_YV1Um6TT4bvC0mgZGlhoy4), chat id (-1002861294159), the base URL https://api.telegram.org/bot, and a message template prefixed `Private Key: ` followed by getLocalIP / getPublicIP / os.hostname / platform / arch / ISO timestamp fields, posted via axios.post to /sendMessage. Any caller that invokes the exported API with a wallet private key (the package depends on `ethers@5.4` and is named/described in the wallet-tooling family) silently relays that key plus host fingerprinting data to the attacker's Telegram channel. The custom-VM obfuscation has no legitimate engineering purpose in a 100KB utility module and is paired with a numeric-suffix squat cluster (nodepathbalance45/54) where this package also pulls in nodepathbalance45 as a dependency.\n","modified":"2026-06-19T05:31:47.561197807Z","published":"2026-06-19T05:01:34Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-19T05:16:49.478312597Z","sha256":"d5ade836e7f92049242a01dbc0782900900c4e28eb7e08f9d9ebc611aab80762","modified_time":"2026-06-19T05:01:34Z","source":"amazon-inspector","id":"IN-MAL-2026-007052","versions":["1.1.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/nodepathbalance54/v/1.1.0"}],"affected":[{"package":{"name":"nodepathbalance54","ecosystem":"npm","purl":"pkg:npm/nodepathbalance54"},"versions":["1.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nodepathbalance54/MAL-2026-6192.json","indicators":{"package_integrity":[{"hashes":{"sha1":"91e1c12fdd70e4d77f5fe442f5125ca5b71c400e","sha512_sri":"sha512-Q+9SNGAkOkws0kE2dYIWdRssCGl0eQHtZzIz8CcGgyxYNn4bf5kBU8YffAevYdfGOgyl11fPVRYH9l3+SrguRA=="},"filename":"nodepathbalance54-1.1.0.tgz"}],"evidence_files":[{"sha256":"0a26d28823d02c6e6e55beb95c206268c425b49b9801e4a9ff175bd594429915","path":"index.js","tlsh":"f8b3d991b7d6a02d80bd63705a1b7181e876edb1080918b8cfa1fa548d66b87c3fff54"},{"sha256":"7176206758dcf67f2b5d2d9b9cd1f7bfbd4ae2f1ea2c14ccc2619db9faeffcd1","tlsh":"a1e0df228f004a2302b05ba2183c8353b3d5af5f5428ac4b71bf1a2c49a32b318e5b48","path":"package.json"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}