npm

web3-token-helper @2.0.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-6274

Ecosystem

npm

Summary

The package advertises itself as a Web3 fee utility but its main export is a dropper. index.js line 140 base64-decodes a platform-specific command string and executes it via child_process.exec inside the exported calculateFee() function — the exact call the README documents as the headline usage example ( calculateFee(100, 2) ). The decoded commands branch on host OS and fetch attacker binaries from https://www.mythicalsgames.com/files/sean/ (a typosquat of the legitimate mythicalgames.com; the path segment sean matches package.json's author: "sean" ): on Windows, PowerShell with -W Hidden downloads SvcHostUpdate.exe into the user's Startup folder and runs it (login persistence); on Linux, syslog-service.py is written to ~/.local/share/.syslog, launched with nohup, and registered via @reboot sleep 30 && /usr/bin/python3... in the user's crontab (reboot persistence); on macOS, com.microsoft.VSCodeUpdate-darwin-<arch> is written to /tmp, chmod +x'd, has its quarantine attribute stripped, and is exec'd. Filenames impersonate trusted OS components (SvcHostUpdate, syslog-service, com.microsoft.VSCodeUpdate) to evade casual process inspection. package.json also declares "postinstall": "node install.js" , but install.js is absent from the tarball — the postinstall is non-functional; the malicious payload triggers on first call to the documented API rather than at install time.

Source: amazon-inspector (0c826bf782895b60580b94e3a28a2c4562d3742420ce81e9895ad8568da57890)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.