OSV ID
MAL-2026-6201
Ecosystem
npm
Summary
Package eth-util impersonates the legitimate @ethereumjs/util package: README, repository URL (github.com/ethereumjs/ethereumjs-monorepo), badges, contributor list, and module API are copied from the ethereumjs project, but the package is published under the unrelated short name eth-util . The compiled dist/index.js at line 55 contains a side-effect-only require("assert-kit") that is absent from src/index.ts and from the parallel dist.browser/index.js bundle — tsc would not emit an unreferenced require of a package not present in the source, so this line was injected post-compile. Anyone reading the GitHub source would not see the loader; only the published npm tarball carries it. The assert-kit dependency is declared at ^4.3.2 in package.json, mimic-named after the Node built-in assert referenced in the README, and the caret range lets the publisher ship arbitrary code into installers via any future minor/patch release. On require("eth-util") , the consumer's process executes whatever top-level code assert-kit ships.
Source: amazon-inspector (6fcfa5a90c6e60f1e3a94db0277e5d9bd0058d0d5d3a549e3e62dfb6e05f4223)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.