npm

chain-sdk-js @1.0.5

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10608

Ecosystem

npm

Summary

chain-sdk-js is a typosquat of @thetalabs/theta-js (package name, description, author 'Theta Labs', and bundle filenames thetajs.cjs.js/thetajs.umd.js all mimic the legitimate SDK). The package's main entry, executed on require/import in cjs, esm, and umd builds, DES-decrypts an opaque blob ( rsa.db ) loaded from the co-installed dependency thedata (^1.0.1) using the hardcoded password 'hydra', then spawns a node child process and pipes the decrypted bytes into its stdin for execution ( child_process.spawn('node', [], {...}); rsa_exec.stdin.write(String(rsaDecrypted)) ). Splitting the loader from the encrypted payload into a separately-published dependency ( node_modules/thedata/apps/docs/app/rsa.db and des.db ) hides the actual code that runs from static inspection of this tarball. The dist bundles also contain hardcoded POST/fetch call sites consistent with outbound network activity from the executed payload. Any consumer that installs and imports this package runs attacker-controlled code with the installer's privileges; the typosquat targets Theta blockchain developers who handle wallet and private-key material.

Source: amazon-inspector (cb94ce743d92fe81015db70380ba325e78e4271b78689a9a6998cda4e6bdc038)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.