npm

eth-base @1.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10413

Ecosystem

npm

Summary

The published lib/index.js contains ~60KB of obfuscated JavaScript appended after a copy of the legitimate web3.js web3-core-subscriptions module. On require(), the appended IIFE loads axios, issues an HTTPS request to a URL reconstructed at runtime from custom base-85 alphabets, and on a specific response constructs new Function('require', <remote-token>)(require) to execute attacker-supplied JavaScript in-process with full Node require access. The corresponding src/index.js is the clean upstream module, indicating the payload was injected only into the shipped build. The package name and description impersonate a web3.js helper (LGPL header still credits Fabian Vogelsteller <fabian@ethereum.org>) while the repository field is empty. Consumers who require this package receive arbitrary code execution on the installing host at load time.

Source: amazon-inspector (bcc98bc680f3d0b8c6dcf396d9f2425a5153658259014384cedf82698413755b)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.