{"id":"MAL-2026-6445","summary":"Malicious code in base58-core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c10874ae13f1937b6974bcaaec72996e54f85fc3de6bf5e53d732f6e1f37c8a3)\nThe package presents itself as a Base58 encoder/decoder but on require() arms a malicious payload that is time-gated to activate 72 hours after first import (ACTIVATION_DELAY = 72*60*60*1000 in dist/index.cjs:94-95) to evade CI and sandbox testing. Once active, it: (1) starts a 2.5s clipboard polling loop (dist/index.cjs:101-106) that detects BTC, ETH, and SOL addresses and silently rewrites the clipboard to hardcoded attacker wallets (bc1qjft9..., 0xd63eD4..., A7ajd7W5...), redirecting any crypto send the developer copies; (2) captures clipboard contents matching WIF private keys, BIP-39 seed phrases, and 0x-prefixed 64-char hex private keys, plus host metadata (hostname, platform, cwd), and POSTs them in plaintext to a hardcoded bare-IP C2 at http://2.27.62.51:8080/api/health (with:8081 fallback) via dist/index.cjs:96-97; (3) establishes persistence by appending a node -e loader to ~/.bashrc, ~/.zshrc, and ~/.profile and dropping base58-runtime.js into the Windows Start Menu Startup folder (dist/index.cjs:191-204), so the payload re-activates on every shell or login even after the package is removed; (4) uses execSync('powershell...') in dist/index.cjs:153 for Windows clipboard access. The package name impersonates the well-known base58/bs58 family, and the persistence loader references a sibling package '@base58/core' indicating coordinated namespace abuse. Crypto developers are the precise targeted victim profile.\n","modified":"2026-06-25T08:01:27.760323225Z","published":"2026-06-25T06:43:58Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.1"],"source":"amazon-inspector","modified_time":"2026-06-25T06:43:58Z","sha256":"6e2594f5ee1ee71b3fb6a42fd834dee3598ce0993bd5718769dad01c916326d1","import_time":"2026-06-25T07:47:51.798999099Z","id":"IN-MAL-2026-007492"},{"versions":["1.0.0"],"source":"amazon-inspector","modified_time":"2026-06-25T06:44:18Z","sha256":"c10874ae13f1937b6974bcaaec72996e54f85fc3de6bf5e53d732f6e1f37c8a3","import_time":"2026-06-25T07:47:51.841500941Z","id":"IN-MAL-2026-007493"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/base58-core/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/base58-core/v/1.0.0"}],"affected":[{"package":{"name":"base58-core","ecosystem":"npm","purl":"pkg:npm/base58-core"},"versions":["1.0.1","1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/base58-core/MAL-2026-6445.json","indicators":{"evidence_files":[{"path":"dist/index.cjs","tlsh":"281251a82af754a0c223b0ad435f90127539f153390ddd68be0ce7841fa597857e37ae","sha256":"0883f67f12ef0c2b1da1e11a4d31a08fdaedc5c7de0db2fb98cb6f7e5efd3224"},{"path":"dist/index.js","tlsh":"bb1241a82af754a0c223b0ad426f90127539f153394ddd6cbe0ce7845fa153857e3bae","sha256":"0e9d1ba8dd0e5c06cdb94bb8eb52af519ed319df3d2faf54e063a653c6191f11"}],"package_integrity":[{"hashes":{"sha1":"b4dd05c96809c80d69d48fdab4a25b84078da84c","sha512_sri":"sha512-MI3HAkFL4EL2Xu7lTeZeTrVkkzUiwNVdkk6Z4xzybU39RFmo0BvZIAkB1J5Yx5qkX5mgYzOeNvJFwgrEJZMFcA=="},"filename":"base58-core-1.0.1.tgz"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}