{"id":"MAL-2026-6695","summary":"Malicious code in ts-bn-proto (npm)","details":"Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `ts-bn-proto` embeds an infostealer payload directly in `index.js` with a base64-encoded C2 address (`data-stream.space`), executed at install time via a `postinstall` hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates all data to the attacker-controlled C2.","modified":"2026-06-30T21:01:39.340083157Z","published":"2026-06-30T00:00:00Z","database_specific":{"malicious-packages-origins":null},"references":[{"type":"REPORT","url":"https://safedep.io/defi-infostealer-fake-arbitrage-bot-npm/"}],"affected":[{"package":{"name":"ts-bn-proto","ecosystem":"npm","purl":"pkg:npm/ts-bn-proto"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"iocs":{"domains":["data-stream.space"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-bn-proto/MAL-2026-6695.json"}}],"schema_version":"1.7.5","credits":[{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}