wagmi_util @3.6.19
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6347
Ecosystem
npm
Summary
Package wagmi_util impersonates the popular wagmi package: it copies wagmi's tagline ("React Hooks for Ethereum"), re-exports wagmi's full React-hooks public API (WagmiProvider, useConnect, useWalletClient, useSignMessage, useSendTransaction, useWriteContract, etc.), and links to wagmi.sh in JSDoc — while being published by an unrelated author with no legitimate wagmi_util package existing under the wevm namespace. The package.json declares a runtime dependency on sync-external@1.6.2 , but no source file in the package imports sync-external ; every internal use of useSyncExternalStoreWithSelector imports the legitimate use-sync-external-store/shim/with-selector.js instead. Installing wagmi_util therefore silently pulls sync-external@1.6.2 into the installer's dependency tree even though the wrapper's own code never loads it. The wrapper itself is clean re-exports of wagmi; the attack surface is the unused-but-pinned transitive, which a developer choosing a wagmi-adjacent utility would not expect to receive.
Source: amazon-inspector (e44ca5f8da70044150618d34a591d8a6d72aa77a5e22eb30da3e86f4b74c76ef)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.