crossmint-wallets-sdk @1.0.0
Vulnerability report · Last retrieved from osv.dev June 27, 2026 at 7:51 AM UTC
OSV ID
MAL-2026-6545
Ecosystem
npm
Summary
Package name impersonates the Crossmint wallet SDK family. Both preinstall.js and index.js import child_process, capture host identifiers (hostname is read on line 7/9 respectively), and POST the collected data via https.request to a hardcoded external endpoint (line 12/23). The preinstall.js path fires automatically on npm install before any user code runs, giving the publisher install-time data exfiltration from any developer or build system that installs this package. The combination of child_process + hostname collection + outbound POST in a preinstall lifecycle script, in a package whose name typosquats a known wallet SDK, matches the active-attack credential/reconnaissance exfiltration fingerprint.
Source: amazon-inspector (dd4caebfba35b43bf10f156fe687f455e95b09a514b8644fe1a900b63f1bf78a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.