web3-eth-utils @6.2.8
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6326
Ecosystem
npm
Summary
Package name, README, repository URL, contributors, and module structure are copied from the legitimate '@ethereumjs/util' / 'ethereumjs-util' package, presenting itself as a drop-in for that widely-used Ethereum utility library. The compiled Node entry dist/index.js contains a side-effect-only require("assertcore") at line 60 (no symbols from the module are used), and assertcore is declared as a runtime dependency (^3.1.7) in package.json. This require is absent from the TypeScript source src/index.ts and from the browser bundle dist.browser/index.js — it was injected into the shipped Node bundle after the build, a deliberate smuggling pattern. Any consumer who installs web3-eth-utils believing it to be the real ethereumjs util package will pull assertcore into their dependency tree and execute its top-level code at every require('web3-eth-utils') , handing arbitrary install/require-time execution to the assertcore maintainer.
Source: amazon-inspector (4a262e70316cd74a87b043cd1985e456639781763d4a3ef69aa09d99a2795154)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.