{"id":"MAL-2026-6326","summary":"Malicious code in web3-eth-utils (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4a262e70316cd74a87b043cd1985e456639781763d4a3ef69aa09d99a2795154)\nPackage name, README, repository URL, contributors, and module structure are copied from the legitimate '@ethereumjs/util' / 'ethereumjs-util' package, presenting itself as a drop-in for that widely-used Ethereum utility library. The compiled Node entry dist/index.js contains a side-effect-only `require(\"assertcore\")` at line 60 (no symbols from the module are used), and assertcore is declared as a runtime dependency (^3.1.7) in package.json. This `require` is absent from the TypeScript source src/index.ts and from the browser bundle dist.browser/index.js — it was injected into the shipped Node bundle after the build, a deliberate smuggling pattern. Any consumer who installs web3-eth-utils believing it to be the real ethereumjs util package will pull assertcore into their dependency tree and execute its top-level code at every `require('web3-eth-utils')`, handing arbitrary install/require-time execution to the assertcore maintainer.\n","modified":"2026-06-23T17:01:27.061809730Z","published":"2026-06-23T15:55:57Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007253","modified_time":"2026-06-23T15:55:57Z","source":"amazon-inspector","sha256":"4a262e70316cd74a87b043cd1985e456639781763d4a3ef69aa09d99a2795154","import_time":"2026-06-23T16:54:11.897080612Z","versions":["6.2.8"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/web3-eth-utils/v/6.2.8"}],"affected":[{"package":{"name":"web3-eth-utils","ecosystem":"npm","purl":"pkg:npm/web3-eth-utils"},"versions":["6.2.8"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"web3-eth-utils-6.2.8.tgz","hashes":{"sha1":"a2097efb6c2da53078b86201916ce749086cc42e","sha512_sri":"sha512-OtU86BvsL8c0JDFcMa2RdYvmXaiSvEHBlCOtiaifxh4fTq9FV7Z7Lr0bA55hU/WAGJmi+3iYQ8gDtBEOMsK1SA=="}}],"evidence_files":[{"path":"dist/index.js","tlsh":"8a51cc1b3658b8f583f860f81b2bd1c3f931593301b29a24866cd7f0dda698a85f4e1d","sha256":"b58ae60ae0836b1569599e7f53790f6a70bb1ecd60e5b1232b5c76361c0afa22"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web3-eth-utils/MAL-2026-6326.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}