chain-api-sdk @0.2.12
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-10009
Ecosystem
npm
Summary
chain-api-sdk presents itself as the upstream multichain-crypto-wallet library: README, badges, package.json repository.url, and homepage all point to github.com/iamnotstatic/multichain-crypto-wallet, and the public API re-exports that project's wallet primitives (createWallet, transfer, private-key handling, mnemonic generation, encrypted-JSON keystore operations). The npm name differs from the upstream, so consumers who install chain-api-sdk believing they are using the legitimate library are routed to this fork. The fork's main entry (dist/index.js) unconditionally require s mchain-sdk and re-exports its mci and multiChainInterface symbols; package.json pins mchain-sdk: ^4.2.5 . The upstream multichain-crypto-wallet does not depend on mchain-sdk. Because mchain-sdk is loaded on any require('chain-api-sdk') , whatever code ships in mchain-sdk executes inside the installer's Node.js process at library-load time, in a wallet library that handles private keys, mnemonics, and keystore data. The combination of upstream impersonation plus an undocumented, name-similar transitive that runs at import inside a wallet context is the delivery-vector shape of a dependency-chain dropper.
Source: amazon-inspector (0cc73eb727778c3a543bdef1f6993d4c8be38da047fc97b7a0614bd195590249)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.