{"id":"MAL-2026-6524","summary":"Malicious code in ts-einkle (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fa992a8f9afcf95d3c0e35b6abc290ff565b450663f6d43511467cd370eefce8)\nts-einkle@1.1.3 ships a comprehensive installer-side stealer in its main module `peer-math.js`. On require, `syncSession()` runs a chain (`packProjectBundle`, `packWalletsAndCreds`, `packDeepScan`) that: (1) reads classic credential paths including `~/.ssh`, `~/.aws`, `~/.gnupg`, `~/.npmrc`, `~/.pypirc`, `~/.docker/config.json`, `~/.git-credentials`, and `~/.config/gh/hosts.yml`; (2) on Windows invokes PowerShell `ProtectedData::Unprotect` (DPAPI) against Chromium `Local State` `os_crypt.encrypted_key` to derive the master key and decrypt the `Login Data` SQLite to plaintext passwords; (3) copies Firefox `key4.db`/`logins.json`, Bitwarden `data.json`, KeePass `.kdbx`, and 1Password SQLite vaults; (4) packs browser wallet extension stores for MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, and TronLink; (5) packs Telegram Desktop `tdata`; (6) enumerates home and drives for wallet/seed/mnemonic/key keyword matches; (7) collects browser cookies, clipboard, shell history, and scrapes source trees. Captured data is POSTed to `https://datasecure-service.vercel.app/api/v1` (overridable via `PSM_API_URL`). `package.json` declares `\"postinstall\": \"node test.js\"`, so installation is intended to auto-trigger the chain. Cover-story labels (functions renamed `from_str_1..17`, sentinel files named `data-backup-upload-*.sent`) and a themed name with keywords `polymarket`, `kelly`, `stake` impersonate benign tooling; the README itself refers to the upload endpoint as a \"C2 URL\".\n","modified":"2026-06-27T19:46:39.488608933Z","published":"2026-06-26T14:16:24Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-26T14:16:24Z","id":"IN-MAL-2026-007606","source":"amazon-inspector","sha256":"25da283df3c201222ff1542da14b7fe428ab18aad7641d3521d2d4274d373e0b","versions":["1.0.9"],"import_time":"2026-06-26T14:59:21.344860649Z"},{"ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"modified_time":"2026-06-27T15:45:38Z","source":"amazon-inspector","sha256":"b011dddf3acc2a1269d8bb864414696c8d44fadb2593544e4d26cb2ce641cf01","versions":["1.1.2"],"import_time":"2026-06-27T15:57:48.922434147Z","id":"IN-MAL-2026-007680"},{"ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"id":"IN-MAL-2026-007681","source":"amazon-inspector","sha256":"1ff02c0869d8d15a81a6172fd66e0f89de1502c21314fa81c6b7fbc7ecf559b4","versions":["1.1.0"],"import_time":"2026-06-27T15:57:48.966256979Z","modified_time":"2026-06-27T15:45:45Z"},{"ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"modified_time":"2026-06-27T19:12:43Z","source":"amazon-inspector","id":"IN-MAL-2026-007685","versions":["1.1.3"],"import_time":"2026-06-27T19:35:55.782238203Z","sha256":"fa992a8f9afcf95d3c0e35b6abc290ff565b450663f6d43511467cd370eefce8"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-einkle/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-einkle/v/1.1.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-einkle/v/1.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-einkle/v/1.1.3"}],"affected":[{"package":{"name":"ts-einkle","ecosystem":"npm","purl":"pkg:npm/ts-einkle"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.9","1.1.2","1.1.0","1.1.3"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"2842a7da10a77926c67127b8db074019ff67da6735224646f2fc42883f7212891e6fdc","path":"index.js","sha256":"1b94a9fcccb1a7188a3b83aea020bf890a66fb0a32d35456f03d8310e7b163b6"}],"package_integrity":[{"filename":"ts-einkle-1.0.9.tgz","hashes":{"sha512_sri":"sha512-Mvwq7v93WRwzkyAoiF96nAiwSdp1FzScwH65q+9jNrfobJ/0U7UWeE4LoFE5PapWtXHrePdDEPXQMXkWkVfVpw==","sha1":"07fc1e609cf4fa60151abcaa20e65a71aa7112c0"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-einkle/MAL-2026-6524.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}