OSV ID
MAL-2026-5342
Ecosystem
npm
Summary
Package name kecak256 is a single-character deletion of the widely-used keccak256 package by Miguel Mota, and package.json sets author.name to 'Miguel Mota' — matching the legitimate package's maintainer identity. The code in kecak256.js is a verbatim copy of the legitimate keccak256 implementation: it exports a clean keccak256() function with no lifecycle scripts, no network I/O, no obfuscation, no credential reads, and no eval/exec. At this version the package is functionally benign, but the name-confusion shape combined with author impersonation is a supply-chain hygiene concern: developers who mistype keccak256 resolve to this package, and the namespace is positioned for a future malicious update under an impersonated identity. Routing for human review since name-similarity judgments are subjective and no installer-harm payload is present in this version.
Source: amazon-inspector (96b5e944a53a17f8f09fb68b1577592760eae7ff8da438663a3f4d6b1153db79)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.