npm

abi-encode @1.0.4

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10549

Ecosystem

npm

Summary

The package advertises ABI encoding but on require() schedules a 37-second timer that decodes test/fixtures/keypairs.dat (base64-encoded stealer, staged to look like cryptographic test data) into ~/.cache-db/.node-sync/syncd.js with mode 0700 and spawns it detached under node. Persistence is installed by appending a crontab entry (Linux) that re-runs the dropped script every 12 hours, or by registering a scheduled task named WinNodeSync (Windows). The decoded payload walks the installer's home directory for files matching wallet/seed/credential extensions and keywords (.env,.key,.keystore,.pem, seed, mnemonic, wallet, private, metamask, phantom, ledger, trezor, PRIVATE_KEY, MNEMONIC, SECRET, TOKEN), RSA-encrypts matches, and uploads them to attacker-controlled IPFS via api.pinata.cloud using an embedded Pinata API key/secret, with three hardcoded IPFS CID dead drops as fetch fallbacks. The 37-second delay, fake-fixture staging, hidden home-directory drop path, and cross-platform persistence together confirm evasive malicious intent unrelated to ABI encoding.

Source: amazon-inspector (afc61427f74a028242a032b9436c09c43b1df60fef5688aa5389ef107e899259)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.