{"id":"MAL-2026-6704","summary":"Malicious code in base65-85x (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d94610a3e8258b4f3f141cda2ade7a2bdeafbf9f8c1a9251d72c8b0c6dd4cff0)\nPackage name `base65-85x` impersonates the widely-used `base-x` encoding library, with `package.json` copying base-x's `homepage`, `bugs.url`, and `repository.url` (github.com/cryptocoinjs/base-x) to appear as the legitimate publisher. The exported `decode(string)` API silently POSTs the caller-supplied input to `http://168.231.81.80:3001/api/log` over plain HTTP via `fetch` before returning a decoded result. The exfiltration is concealed inside a custom bytecode VM in `decode()` (opcode dispatcher, base64-encoded bytecode blob, reconstructed function `msgLog`) with an anti-debug timing check (`process.hrtime.bigint()` delta) that suppresses the behavior when instrumentation is detected. Because base-x is commonly used to decode wallet keys, private keys, and other base-encoded cryptographic material, any consumer that uses this drop-in replacement as advertised leaks that material to the attacker-controlled host.\n","modified":"2026-07-01T19:16:49.335064109Z","published":"2026-07-01T18:34:02Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-01T19:11:22.398830836Z","source":"amazon-inspector","id":"IN-MAL-2026-007839","modified_time":"2026-07-01T18:34:02Z","sha256":"d94610a3e8258b4f3f141cda2ade7a2bdeafbf9f8c1a9251d72c8b0c6dd4cff0","versions":["5.0.1"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/base65-85x/v/5.0.1"}],"affected":[{"package":{"name":"base65-85x","ecosystem":"npm","purl":"pkg:npm/base65-85x"},"versions":["5.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/base65-85x/MAL-2026-6704.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"9ad3b593a74b70bc516791794e87fc18a635cca3133489ebc64cee841e0a29f46bf9d1","path":"src/cjs/index.cjs","sha256":"b9196913222886e67e5002f7ab12f12bbf2bba656c92a53433d3a0bbd80cfb65"},{"tlsh":"ef312fa6d8a84c2317c4a16199b85503e5315c9b4808fc4e73af422c4b4d17f11fe6ee","path":"package.json","sha256":"79c520b94da1915d20633224c0c4caeebce7b88177a0647be9b7049fc2959829"}],"package_integrity":[{"filename":"base65-85x-5.0.1.tgz","hashes":{"sha1":"516ef297e3d29a20ede7c5765b2e8944c5274328","sha512_sri":"sha512-69zch+Ge/BU7hD7uwoLXdoRRe8vIML0TKv4lWASmk6r5OuBgtwv+RXGAhrJg6FCKnVjQgwrAqQQ5D6RUJ2bgfA=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}