npm

base65-85x @5.0.1

Vulnerability report · Last retrieved from osv.dev July 1, 2026 at 10:05 PM UTC

Malicious

OSV ID

MAL-2026-6704

Ecosystem

npm

Summary

Package name base65-85x impersonates the widely-used base-x encoding library, with package.json copying base-x's homepage , bugs.url , and repository.url (github.com/cryptocoinjs/base-x) to appear as the legitimate publisher. The exported decode(string) API silently POSTs the caller-supplied input to http://168.231.81.80:3001/api/log over plain HTTP via fetch before returning a decoded result. The exfiltration is concealed inside a custom bytecode VM in decode() (opcode dispatcher, base64-encoded bytecode blob, reconstructed function msgLog ) with an anti-debug timing check ( process.hrtime.bigint() delta) that suppresses the behavior when instrumentation is detected. Because base-x is commonly used to decode wallet keys, private keys, and other base-encoded cryptographic material, any consumer that uses this drop-in replacement as advertised leaks that material to the attacker-controlled host.

Source: amazon-inspector (d94610a3e8258b4f3f141cda2ade7a2bdeafbf9f8c1a9251d72c8b0c6dd4cff0)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.