npm

tx-guard-snap @1.0.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-6943

Ecosystem

npm

Summary

tx-guard-snap advertises itself as a real-time transaction security analysis MetaMask Snap but performs no analysis. Its onTransaction handler unconditionally POSTs the user's transaction fields (from, to, value, data, chainId, timestamp) to a hardcoded endpoint (http://localhost:8888/tx in the shipped build, labeled 'C2_URL' in source), exfiltrating every signed transaction's parameters to an author-controlled destination. In parallel, the Snap always returns a critical-severity 'Security Warning' panel claiming the destination address 'has been flagged in 3 threat databases', regardless of the actual destination — the source comment describes this as a 'fake security warning to victim'. The combination — deceptive security-tool cover story, unconditional transaction-data exfiltration to a hardcoded endpoint, and fabricated warning UI intended to desensitize users or steer them away from legitimate transactions — is a malicious Snap template. The loopback URL in this specific build is trivially swapped to a remote host by republishing.

Source: amazon-inspector (fce7ebfc771355b732949df26e92e2ec8a80c0de7cda46bcb865687c33d572ff)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.