@tonsdk/core @0.9.3
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5564
Ecosystem
npm
Summary
@tonsdk/core impersonates the legitimate @ton/core TON blockchain SDK. On npm install , scripts/postinstall.js executes automatically and performs two attacker-controlled actions against a hardcoded bare-IP C2 at 213.218.160.189 (ports 8080 and 80) over plaintext HTTP. First, it base64-encodes a JSON fingerprint of the installer host — hostname, username, platform, arch — and sends it as a GET query string to /s?q=<base64> , leaking host identifiers on every install. Second, it fetches a response payload, optionally XOR-decrypts it, and passes the result to eval(), giving the operator arbitrary remote code execution in the installer's Node process. The script also probes for VM/sandbox/analyst tooling (vmtoolsd, vboxservice, wireshark, x64dbg, ida) to suppress execution in researcher environments. The package description and name target developers searching for TON SDK tooling; the repository URL ( aspect-build/tonsdk ) is unrelated to the real TON foundation.
Source: amazon-inspector (d9a9a70e3d8b322df960cb96b195f74693eb4d2ea284680e4cfb41a33f1848f8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.