npm

evm-typechain @0.5.4

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-6932

Ecosystem

npm

Summary

On require, index.js issues an HTTPS GET to https://www.jsonkeeper.com/b/PC5CK, passes the returned JSON cookie field to new Function('require',...) , and invokes it with the real require capability. The invocation is concealed at the end of index.js behind a long run of tab whitespace on the same line as module.exports = leanhooksPlugin; , and the file carries a false Mongoose LeanHooks Plugin header that does not match the package's advertised purpose. The remote content is attacker-mutable (unpinned, no hash/signature) and executes with full module-loading capability, giving arbitrary remote code execution in any Node.js process that imports the package. The package name and description impersonate the widely used TypeChain project ( type-safe bindings for Ethereum smart contracts ), while the shipped code is an unrelated Mongoose plugin stub bolted to the remote loader; the repository URL ( drudge/evm-typeschain ) is a spelling mismatch. This is a typosquat lure fronting an import-time RCE dropper.

Source: amazon-inspector (0a78b4d04410e295cbe340c95e6800a0777717d46ce136f0c30b5593d1bd9738)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.