@origindev/ethaccount @1.0.1
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10455
Ecosystem
npm
Summary
@origindev/ethaccount@1.0.0 ships a single heavily obfuscated index.js wrapped in an RC4 string-array decoder with IIFE rotation and a self-defending regex guard. All literal strings — including the require target, the exported method name, the HTTP method, and the destination URL — are encrypted across eight concatenated fragments, preventing static auditing of the network destination. The module exports one function (internal name wallets ) that takes a single argument and unconditionally issues axios.<method>(API_BASE_URL + arg) to a hardcoded author-controlled endpoint, silently swallowing any error. Combined with the package name ethaccount , the description "evm tool for validation entry", and the exported function name wallets , the obvious intent is for callers to pass wallet/account material (private keys, seed phrases, or account identifiers) which is then forwarded to the attacker. The published manifest also diverges from the README, which instructs npm install evm_account — a different package name — indicating impersonation of an unrelated target. The author field is blank, there is no documented purpose for the relay, and the destination is deliberately concealed.
Source: amazon-inspector (21a07b9029fb9a0c16ec0d934edab2123c43d1999489d510c3bbabc5a0f1d5e7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.