OSV ID
MAL-2026-6448
Ecosystem
npm
Summary
Package bs58-86@6.0.1 reproduces the name, README, repository URL ( cryptocoinjs/bs58 ), and exported API of the widely-used bs58 base58 encoding library (>10M downloads/week). The only functional code in src/cjs/index.cjs is require('base62-86x')(ALPHABET) — instead of depending on the real base-x package that genuine bs58 uses, this package pulls in base62-86x (declared as ^5.0.4 in package.json dependencies), an unrelated package controlled by a different publisher. All actual base-x implementation runs out of base62-86x , so any developer who installs bs58-86 thinking it is bs58 ends up executing whatever base62-86x ships, at require time. This is the typosquat-plus-dependency-redirect shape: the lure package is a thin shim whose only effect on the installer is to pull in and execute the redirected dependency.
Source: amazon-inspector (057e2e470e0bc9dbfd2ff37955c0c7d051cca944025b9d62c882ffc98c4434e5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.