npm

@wrenfield/abitype @1.2.7

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 7:46 AM UTC

Malicious

OSV ID

MAL-2026-10529

Ecosystem

npm

Summary

Package @wrenfield/abitype impersonates the well-known wevm/abitype library: it copies the upstream README verbatim (links to abitype.dev, wevm.eth, contributors awkweb.eth and jxom.eth) and retains "repository": "wevm/abitype" in package.json, while publishing under an unrelated @wrenfield scope. Two import-reachable files in the published tarball — dist/cjs/human-readable/runtime/utils.js (line 238 onward) and dist/esm/exports/index.js (line 19 onward) — carry an obfuscator.io payload (RC4-decoded ~580-entry string array, control-flow flattening, anti-debug self-defending) appended after the legitimate abitype source. The decoded payload dynamically loads node http/https, issues a GET to a runtime-constructed remote endpoint with a custom User-Agent, follows 301/302/303/307/308 redirects, writes the response to disk, fs.chmodSync's it to 0o755, and executes the bytes via spawn(process.execPath,..., {detached:true, stdio:'ignore'}) and via spawn('sh', ['-c',...]). Because dist/cjs/human-readable/runtime/utils.js is reached through the package's main entry (parseAbiItem → utils) and the file is listed in package.json sideEffects, the downloader fires automatically on require('@wrenfield/abitype') / import. Installing or loading this package runs attacker-controlled code on the installer's machine.

Source: amazon-inspector (1d1b16f2fdde2184bdcfb6f2c91f18c328dee9aa1bb111f86d3130f47c42c9e5)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.