eth-lib-utils @5.2.5
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10499
Ecosystem
npm
Summary
Package eth-lib-utils@5.2.3 impersonates @ethereumjs/util / ethereumjs-util (README, author list, repository URL, and source tree copied from the legitimate package). The published Node build dist/index.js contains an unconditional require("assertcore") at module load that is absent from the TypeScript source src/index.ts and from the parallel dist.browser/index.js — the import was injected only into the shipped artifact. The required name assertcore is not declared in package.json; the declared dependency is the differently-named assertcoreutils (^2.3.2), an unrelated name shaped to look like an Ethereum companion package. The effect on a consumer that runs require('eth-lib-utils') in Node is to load whatever code is published under assertcore / assertcoreutils in the installer's process, while the package presents itself as a drop-in for a widely-used Ethereum utility. This is the standard typosquat-plus-transitive-dropper shape: the lure package looks like a clean re-export, the harmful code lives one resolution hop away in a name the installer never asked for.
Source: amazon-inspector (13895e2e8ee4aa9683c2fd6f0f873a38b19bbc5af207233e22c51668bc7dba41)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.