{"id":"MAL-2026-6690","summary":"Malicious code in log-taker1 (npm)","details":"Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `log-taker1` embeds a full infostealer (~2800 lines) directly in `index.js`, executed at install time via `postinstall: node test.js`. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases, exfiltrating all data to the C2 domain `log-taker.store`. The C2 is shared with the `rohmat2527` maintainer account.","modified":"2026-06-30T21:01:39.461185002Z","published":"2026-06-30T00:00:00Z","database_specific":{"malicious-packages-origins":null},"references":[{"type":"REPORT","url":"https://safedep.io/defi-infostealer-fake-arbitrage-bot-npm/"}],"affected":[{"package":{"name":"log-taker1","ecosystem":"npm","purl":"pkg:npm/log-taker1"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"iocs":{"domains":["log-taker.store"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/log-taker1/MAL-2026-6690.json"}}],"schema_version":"1.7.5","credits":[{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}