npm

mc-reg @1.0.4

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC

Malicious

OSV ID

MAL-2026-10637

Ecosystem

npm

Summary

mc-reg advertises itself as a Cosmos chain-registry data package (README shows chain-registry-style assets / chains / ibc API), but its main and ESM entrypoints do not expose that data. Instead, index.js lazy-imports and re-exports PartnerVaultHttpProvider from an unrelated runtime dependency chain-sdk-js , and esm/index.js statically imports it — so require('mc-reg') or import { chains } from 'mc-reg' transparently pulls chain-sdk-js into the consumer's dependency tree. The pulled dependency's persistence/chain.js contains a wallet-secret interception + exfiltration pattern: a hardcoded destination reconstructed from a char-code array ( ping / ping / ping decode-and-join sequence at lines 320-322 / 322-324) and POST calls (lines 118/204 and 120/206) that ship data to a non-caller-configured host, matching the shape of BIP-39 mnemonic / private-key theft from a wallet/signing path. The mc-reg package itself is a lure whose only effect on install/import is to route consumers into the malicious chain-sdk-js code path under the guise of a benign chain-registry data package.

Source: amazon-inspector (93ca15954536abe30ea5c7f5bc5a06192f3946c98d74edef9d90edbc52cb9d95)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.