base58-utils @1.0.5
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10606
Ecosystem
npm
Summary
The package's index.js contains multiple Buffer.from(...) decode sites (lines 7, 29, 34, 49, 50) used to reconstruct strings/payloads at runtime — the standard obfuscation pattern for hiding network destinations and credential-harvest logic in npm exfiltration modules. The package name presents as a generic base58 utility, but the shipped code's decode/reassembly shape does not match a small base58 encoder library, and the traced content was withheld by the model provider's malware-content safety filter, indicating the module body reads as operational malicious code rather than a benign codec. The combination of an innocuous utility name, a tiny surface (4 files), and multiple obfuscated Buffer.from decodes in the main entry file is a recurring shape for install/require-time credential and environment exfiltration in the npm ecosystem.
Source: amazon-inspector (ba5517883cb10a7c76e95fdf21a4ffce21c13fe1ca42fafc13f5adb021599772)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.