@wrenfield/viem @2.53.4
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 9:46 AM UTC
OSV ID
MAL-2026-10571
Ecosystem
npm
Summary
Package @wrenfield/viem impersonates the popular viem library (homepage viem.sh, repo wevm/viem); README and authors fields credit the real viem maintainers but the package itself is published under an unrelated @wrenfield scope. The shipped source under _cjs/ mirrors viem's real code, but package.json rewrites the abitype dependency via npm alias: "abitype": "npm:@wrenfield/abitype@1.2.4" . The CommonJS entry _cjs/index.js calls require("abitype") at module load, so any installer who require() s or import s @wrenfield/viem transitively pulls and executes code from @wrenfield/abitype@1.2.4 — a separate package under the same attacker-controlled scope, outside this tarball. The combination of brand impersonation of a top npm package plus a silent dependency redirect to an attacker-controlled namespace is the namespace-abuse / dependency-hijack pattern: the lure package looks legitimate on inspection, while the actual payload is delivered through the redirected dependency at first import.
Source: amazon-inspector (fa26048a977a00adcd1ffc42ccf06110e3807bb2a3145a01fd01318dcfe79771)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.