base58-core @1.0.5

Summary

base58-core@1.0.5 presents itself as a base58 encoding library (README markets it as @base58/core, public API mimics bs58/@scure/base) but on require of dist/index.js it arms a time-bombed payload that activates 72 hours after install. After activation, a 2.5s timer polls the OS clipboard, detects BTC/ETH/SOL addresses, and silently replaces them with attacker-controlled wallet addresses (bc1qjft978uykglsh0adcyx6xhkes56vqzs3fual3l, 0xd63eD44065eDb1e2ad2519B011c06412dA7B7c5B, A7ajd7W5WYdrnkeaiBRjVoK6uBEDvgnuZcpzQXqo18Ph), redirecting any outgoing crypto transfer made by a user on the installer's machine to the attacker. When clipboard contents match wallet addresses, WIF/hex private keys, or BIP-39 seed phrases, the package POSTs the matches together with hostname, platform, cwd, and up to 2000 chars of clipboard content to a hardcoded bare-IP endpoint at http://2.27.62.51:8080/api/health (with:8081 as backup) over plain HTTP. For persistence, it appends a hook to ~/.bashrc, ~/.zshrc, and ~/.profile that re-invokes the payload via node -e "require('@base58/core')._internal.activate()" on every shell, and on Windows drops base58-runtime.js into the Startup folder, ensuring the clipper survives reboots and host-process exits. The 72-hour activation delay and powershell-based execSync calls are anti-analysis measures to evade sandbox/CI review. Installer impact is direct financial theft (crypto-address substitution), credential/seed-phrase theft (clipboard exfiltration), and persistent compromise of the developer's shell environment.

Source: amazon-inspector (0081cc9c4152afede923a3e8ee9eb2116b32c02b7f355edbd411f23b2e67273c)