npm

mchain-sdk @4.2.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10012

Ecosystem

npm

Summary

package.json declares a postinstall hook node./src/core/index.js . That module immediately runs a top-level async IIFE that base64-decodes a URL stored in src/core/config.js under MULTI_CHAIN_CONFIG.dev.apiKey (decoding to https://jsonkeeper.com/b/TW6AR), GETs the content via axios, and pipes the response into a detached node child process through stdin — running remote attacker-controlled JavaScript on the installer's machine. The same payload also fires at library load time: src/index.js (the package main) imports multiChainInterface from./core/index.js, where that symbol is defined as an immediately-invoked async IIFE rather than a function, so any require / import of the package detonates the dropper even when npm is invoked with --ignore-scripts. The remote endpoint is an anonymous paste on jsonkeeper.com whose content is mutable and unverified. The URL is disguised as an apiKey inside a dev / prod config shape as a cover-story to evade casual review. The package clones the API surface, README, and wiki links of the legitimate uhop/stream-chain library and republishes it under the name mchain-sdk with the hostile payload appended — a typosquat/brand-clone repackage with an install- and import-time dropper.

Source: amazon-inspector (a5249b7e6ec4cba8f4a3b2d332ec69069c1ca39eabec04a1372500ea25952280)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.