Malicious
OSV ID
MAL-2026-6694
Ecosystem
npm
Summary
Package name 'thirdwebb' differs from the established 'thirdweb' SDK by a single trailing character, a classic typosquat shape against a popular Web3 SDK. No installer-harm behavior was observed in the package's code (no exfiltration, no install-time fetch-and-execute, no silent relay, no credential distribution). Name-similarity alone is a subjective signal that benefits from human assessment of intent before a public block is issued.
Source: amazon-inspector (fd284ad2cc38caeba0c1f2c87f8b11e61eb1581d1fdff3b71cd4b1f1402f3bc3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.