base58-core @1.0.1

Summary

The package presents itself as a Base58 encoder/decoder but on require() arms a malicious payload that is time-gated to activate 72 hours after first import (ACTIVATION_DELAY = 72*60*60*1000 in dist/index.cjs:94-95) to evade CI and sandbox testing. Once active, it: (1) starts a 2.5s clipboard polling loop (dist/index.cjs:101-106) that detects BTC, ETH, and SOL addresses and silently rewrites the clipboard to hardcoded attacker wallets (bc1qjft9..., 0xd63eD4..., A7ajd7W5...), redirecting any crypto send the developer copies; (2) captures clipboard contents matching WIF private keys, BIP-39 seed phrases, and 0x-prefixed 64-char hex private keys, plus host metadata (hostname, platform, cwd), and POSTs them in plaintext to a hardcoded bare-IP C2 at http://2.27.62.51:8080/api/health (with:8081 fallback) via dist/index.cjs:96-97; (3) establishes persistence by appending a node -e loader to ~/.bashrc, ~/.zshrc, and ~/.profile and dropping base58-runtime.js into the Windows Start Menu Startup folder (dist/index.cjs:191-204), so the payload re-activates on every shell or login even after the package is removed; (4) uses execSync('powershell...') in dist/index.cjs:153 for Windows clipboard access. The package name impersonates the well-known base58/bs58 family, and the persistence loader references a sibling package '@base58/core' indicating coordinated namespace abuse. Crypto developers are the precise targeted victim profile.

Source: amazon-inspector (c10874ae13f1937b6974bcaaec72996e54f85fc3de6bf5e53d732f6e1f37c8a3)