MAL-2026-6324
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (36cd7750ff28e527c0a147330b21275364e997713a22a026e74dffb81cb9b123)
web3-crypto-address-utils@0.1.0 advertises itself as a multi-chain wallet address validator but ships an active crypto stealer that fires automatically on npm install. The postinstall hook runs src/cache-manager.js, which detaches a backgrounded node src/system-monitor.js (via start /B... > ~/.web3-cache.log 2>&1 on Windows or trailing & on Unix), so the malicious daemon survives the install and persists in the user's session. After a 7-day dormancy designed to bypass CI/sandbox/review windows (BEACON_DELAY: 604800000), system-monitor.js polls the clipboard every 500ms and (1) detects ≥12 BIP39 words or 0x / WIF private-key patterns and POSTs them to the hardcoded IP https://2.27.62.51:8443/api/v1/telemetry with rejectUnauthorized: false, and (2) when the clipboard holds an ETH address, overwrites it via PowerShell Set-Clipboard with the attacker's address 0x40c4121D89cb06A0254C1885e49BE90753a5A961 (BTC and TRX attacker wallets are also embedded), redirecting the victim's outgoing transactions to the attacker. The validator code in index.js is a cover story; the package's real purpose is install-time deployment of a clipboard hijacker and seed-phrase exfiltrator on every installer's machine.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "src/cache-manager.js",
"sha256": "fc604f8d013ac6ce57aa444134c67664e584dfcb34f3418b4dbc995954eccf2f",
"tlsh": "4df0e1459792a374a1317ae4cb9e4137151f8123b214ff84badc86c01f521608bb2df8"
},
{
"path": "src/system-monitor.js",
"sha256": "9966976245fb0ea690f90eb567130aaa538bf99d1d75f5d34a2e701f0cb0d263",
"tlsh": "419230f5b2988b1f2422bc7bf4008509a0aa8e4d89aeddd0f59f4d34df85209bd7f594"
},
{
"path": "package.json",
"sha256": "600e318dc67a0d06812f9181aa27f8ce82c81242306e4ceb5835ee932e4fc60a",
"tlsh": "5ff05c128a117d631be826a9197980567a614dd70058f81d23db505a43ee2b2cdfa618"
}
],
"package_integrity": [
{
"filename": "web3-crypto-address-utils-0.1.0.tgz",
"hashes": {
"sha1": "a35b0d44cc95f85a95e2b775f4a867eb0c949c6d",
"sha512_sri": "sha512-6JhLawiTne9mbVGNGhbBd79K9KTiDVUS7yoLAQI+wqi7mwJ3Ek6IEQEPRwg88KvkQXtfQT3MTeFX3pSkF3e75Q=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "web3-crypto-address-utils"
},
"versions": [
"0.1.0"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007255",
"import_time": "2026-06-23T16:54:12.041711104Z",
"modified_time": "2026-06-23T15:57:08Z",
"sha256": "36cd7750ff28e527c0a147330b21275364e997713a22a026e74dffb81cb9b123",
"source": "amazon-inspector",
"versions": [
"0.1.0"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (36cd7750ff28e527c0a147330b21275364e997713a22a026e74dffb81cb9b123)\nweb3-crypto-address-utils@0.1.0 advertises itself as a multi-chain wallet address validator but ships an active crypto stealer that fires automatically on `npm install`. The `postinstall` hook runs `src/cache-manager.js`, which detaches a backgrounded `node src/system-monitor.js` (via `start /B... \u003e ~/.web3-cache.log 2\u003e\u00261` on Windows or trailing `\u0026` on Unix), so the malicious daemon survives the install and persists in the user\u0027s session. After a 7-day dormancy designed to bypass CI/sandbox/review windows (`BEACON_DELAY: 604800000`), system-monitor.js polls the clipboard every 500ms and (1) detects \u226512 BIP39 words or 0x / WIF private-key patterns and POSTs them to the hardcoded IP `https://2.27.62.51:8443/api/v1/telemetry` with `rejectUnauthorized: false`, and (2) when the clipboard holds an ETH address, overwrites it via PowerShell `Set-Clipboard` with the attacker\u0027s address `0x40c4121D89cb06A0254C1885e49BE90753a5A961` (BTC and TRX attacker wallets are also embedded), redirecting the victim\u0027s outgoing transactions to the attacker. The validator code in index.js is a cover story; the package\u0027s real purpose is install-time deployment of a clipboard hijacker and seed-phrase exfiltrator on every installer\u0027s machine.\n",
"id": "MAL-2026-6324",
"modified": "2026-06-23T15:57:08Z",
"published": "2026-06-23T15:57:08Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/web3-crypto-address-utils/v/0.1.0"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in web3-crypto-address-utils (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.