npm

eth-dev @1.0.4

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10552

Ecosystem

npm

Summary

On require(), index.js schedules a 37-second delayed routine that reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached via node syncd.js . The dropper installs OS-specific persistence to re-execute every 12 hours: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS. The decoded payload ('phantom syncd v3') walks the user's home directory matching filenames and contents against wallet/seed keywords (seed, mnemonic, recovery, wallet, private, metamask, phantom, ledger, trezor,...), pulls mutable configuration from a hardcoded GitHub Gist (juang55/b298754cb72942b1cdcf02ccd45cde2f), and uploads harvested material to Pinata IPFS using hardcoded API credentials embedded in the payload. Cover-story naming (keypairs.dat as a 'test fixture', com.apple.syncd, WinNodeSync) is used to mimic legitimate system services. The package presents itself as an Ethereum utilities library.

Source: amazon-inspector (51f051957ac6f91e8567df873978b45c0c81a170f94decbd735d329f312ff1bb)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.