npm

thirdwebb @0.0.8

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC

Malicious

OSV ID

MAL-2026-6694

Ecosystem

npm

Summary

Package name 'thirdwebb' differs from the established 'thirdweb' SDK by a single trailing character, a classic typosquat shape against a popular Web3 SDK. No installer-harm behavior was observed in the package's code (no exfiltration, no install-time fetch-and-execute, no silent relay, no credential distribution). Name-similarity alone is a subjective signal that benefits from human assessment of intent before a public block is issued.

Source: amazon-inspector (fd284ad2cc38caeba0c1f2c87f8b11e61eb1581d1fdff3b71cd4b1f1402f3bc3)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.