crypt0co-walet-poc @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4540
Ecosystem
npm
Summary
On require/import, index.js (lines 6-12) serializes the full process.env to /tmp/poc_impact.json and runs whoami and ip addr via execSync to fingerprint the host. Any consumer that imports this package leaks every environment variable available to the Node process — on CI and developer machines this routinely includes cloud credentials, npm/GitHub tokens, and other secrets — into a predictable, world-readable path in /tmp where any local user or subsequent process can read them. The package name crypt0co-walet-poc uses character substitutions ( 0 for o , walet for wallet ) consistent with impersonation of crypto-wallet packages, and the code self-labels as CRITICAL IMPACT POC P0 . Author metadata fields (description, keywords, author) are empty. Even if the publisher's stated intent is bug-bounty research, the installer harm — full environment dump plus recon command execution at import time — is real and unconsented.
Source: amazon-inspector (b5510d98b1e380f6c130bf9b4428321d711ae88d8a4fcb66368a2f6fb4e7ff58)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.