cb-wallet-data @0.0.1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4506
Ecosystem
npm
Summary
Package name 'cb-wallet-data' targets a presumed Coinbase-internal namespace and is published by an unaffiliated party. Both postinstall.js (npm install lifecycle hook) and index.js (main, runs on require) issue an unconditional HTTPS GET to https://icy-cell-fb53.gh0stfqce25.workers.dev/poc carrying the package name and installer Node.js runtime version as query parameters. Any developer or build system whose package manager misroutes the internal name 'cb-wallet-data' to the public npm registry will silently transmit the existence of that internal name plus their Node version to a third-party Cloudflare Workers endpoint without consent. While the payload is narrow (no credential or environment scraping), the channel is a confirmed install-time and import-time beacon to attacker/researcher-controlled infrastructure, exposing internal namespace and toolchain metadata that itself is sensitive supply-chain reconnaissance data.
Source: amazon-inspector (9d076ee3d487c7c10f785494c4391e39eb327b696224d5653746144fa5ac8d37)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.