tx-guard-snap @1.0.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-6943
Ecosystem
npm
Summary
tx-guard-snap advertises itself as a real-time transaction security analysis MetaMask Snap but performs no analysis. Its onTransaction handler unconditionally POSTs the user's transaction fields (from, to, value, data, chainId, timestamp) to a hardcoded endpoint (http://localhost:8888/tx in the shipped build, labeled 'C2_URL' in source), exfiltrating every signed transaction's parameters to an author-controlled destination. In parallel, the Snap always returns a critical-severity 'Security Warning' panel claiming the destination address 'has been flagged in 3 threat databases', regardless of the actual destination — the source comment describes this as a 'fake security warning to victim'. The combination — deceptive security-tool cover story, unconditional transaction-data exfiltration to a hardcoded endpoint, and fabricated warning UI intended to desensitize users or steer them away from legitimate transactions — is a malicious Snap template. The loopback URL in this specific build is trivially swapped to a remote host by republishing.
Source: amazon-inspector (fce7ebfc771355b732949df26e92e2ec8a80c0de7cda46bcb865687c33d572ff)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.