OSV ID
MAL-2026-3765
Ecosystem
npm
Summary
The package declares a postinstall hook ( "postinstall": "node postinstall.js" in package.json) that runs unconditionally on npm install . The script's own header calls itself a "Token harvester + Crypto wallet scanner / Runs on npm install. Silent. Zero trace." It performs two distinct credential-theft behaviors:
1) Installer secret harvest: reads ~/.npmrc , ~/.env , and ~/.git-credentials ; extracts npm auth tokens (regex npm_[a-zA-Z0-9]{36} ), API keys, database URLs, cloud credentials, EVM private keys ( 0x[a-fA-F0-9]{64} ), and git credentials; POSTs the JSON result to the hardcoded bare-IP endpoint http://149.28.127.35:8888 over plain HTTP (configurable only via C2_URL env).
2) Crypto wallet stealer: enumerates 71 hardcoded Chrome/Brave/Edge/Firefox wallet extension IDs (MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn , Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa , Coinbase, Trust, Ledger, etc.), walks browser profile Local Extension Settings/<walletId> LevelDB .log files matching regex for vault , mnemonic , seed , privateKey , password , encrypted , and recursively scans ~/Documents , ~/Desktop , ~/Downloads , ~/OneDrive , ~/Dropbox , ~/Google Drive , ~/backup , ~/keys , ~/wallet , ~/crypto for seed-phrase and keystore files, exfiltrating hits to the same C2.
The package's advertised purpose ( keywords: [lodash, utilities] , description "Lodash JavaScript utilities bundle", internal name lodash-js ) does not match the name joi-pack and does not match the payload — index.js is an explicit stub ("Just a dummy module. The real payload is in postinstall.js"). Name and keywords are cover-story framing piggybacking on the popular joi and lodash packages.
Source: amazon-inspector (5ca38e3574ffcb0fabb105616e28108137c8256e2c70aeede59623bca5df496a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.