{"id":"MAL-2026-6688","summary":"Malicious code in console-fmt-cli (npm)","details":"Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `console-fmt-cli` uses a side-loader technique: it declares `decimal-format-core \u003e=3.0` as a dependency, which contains a dropper that executes at install time via a `postinstall` hook. The dropper fetches a second-stage infostealer from a remote C2 (`logstream-api.online`) that harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases.","modified":"2026-06-30T21:01:39.467667461Z","published":"2026-06-30T00:00:00Z","database_specific":{"malicious-packages-origins":null},"references":[{"type":"REPORT","url":"https://safedep.io/defi-infostealer-fake-arbitrage-bot-npm/"}],"affected":[{"package":{"name":"console-fmt-cli","ecosystem":"npm","purl":"pkg:npm/console-fmt-cli"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"iocs":{"domains":["logstream-api.online"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/console-fmt-cli/MAL-2026-6688.json"}}],"schema_version":"1.7.5","credits":[{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}