base58-core @1.0.12
Vulnerability report · Last retrieved from osv.dev July 6, 2026 at 10:15 AM UTC
OSV ID
MAL-2026-6445
Ecosystem
npm
Summary
The package advertises itself as a Base58 encoder/decoder but on require() schedules a delayed payload that performs multiple installer-side attacks. After a 72-hour activation delay, code in dist/index.cjs and dist/index.js enumerates installer-owned secret stores — MetaMask extension storage across Chrome/Chromium/Brave/Edge profiles, Telegram Desktop tdata sessions, ~/.ssh keys, ~/.npmrc _authToken values, browser profile inventories, and env/.env crypto secret variables — and POSTs the collected report to a hardcoded bare-IP endpoint at http://2.27.62.51:8080/api/health (with:8081 as backup). A setInterval clipboard monitor invokes pbpaste/xclip/PowerShell via child_process every 2.5 seconds, matches BTC/ETH/SOL address regexes plus WIF private keys, BIP39 seed phrases (12–24 words), and 64-hex private keys, rewrites detected wallet addresses to attacker-controlled destinations (bc1qjft978uykglsh0adcyx6xhkes56vqzs3fual3l, 0xd63eD44065eDb1e2ad2519B011c06412dA7B7c5B, A7ajd7W5WYdrnkeaiBRjVoK6uBEDvgnuZcpzQXqo18Ph), writes them back to the clipboard, and exfiltrates matched values and the original clipboard slice to the same endpoint. A persistence routine appends a node -e loader to ~/.bashrc, ~/.zshrc, and ~/.profile that re-invokes the payload on every shell start; on Windows it drops base58-runtime.js into the user Startup folder, keeping the clipboard hijacker and exfil active across reboots and beyond project uninstall. The 72-hour dormancy timer is designed to evade sandbox and CI dynamic analysis. The package name and keywords (bitcoin/solana/wallet/ipfs) impersonate legitimate Base58 libraries to target crypto developers.
Source: amazon-inspector (048a186e2e59bb0b7d9986c7099e527390e38690292bc49e237578a471c56680)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.