npm

kecak256 @1.0.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC

Malicious

OSV ID

MAL-2026-5342

Ecosystem

npm

Summary

Package name kecak256 is a single-character deletion of the widely-used keccak256 package by Miguel Mota, and package.json sets author.name to 'Miguel Mota' — matching the legitimate package's maintainer identity. The code in kecak256.js is a verbatim copy of the legitimate keccak256 implementation: it exports a clean keccak256() function with no lifecycle scripts, no network I/O, no obfuscation, no credential reads, and no eval/exec. At this version the package is functionally benign, but the name-confusion shape combined with author impersonation is a supply-chain hygiene concern: developers who mistype keccak256 resolve to this package, and the namespace is positioned for a future malicious update under an impersonated identity. Routing for human review since name-similarity judgments are subjective and no installer-harm payload is present in this version.

Source: amazon-inspector (96b5e944a53a17f8f09fb68b1577592760eae7ff8da438663a3f4d6b1153db79)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.