MAL-2026-10135
Malicious code in theta-sdk-js (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6967c021e95228b33b18be4489fea5d404720cbd21beb53dac8bf7ea4f4d54d1) theta-sdk-js@1.2.15 ships src/decrypt.js and src/providers/BaseProvider.js which together implement a hidden execution channel. On module load, decrypt.js reads two encrypted blobs (rsa.db, des.db) from node_modules/tchain-api/apps/docs/app/, DES-decrypts them using the hardcoded password 'hydra' via crypto-js, and returns the plaintext. Top-level IIFEs in src/providers/BaseProvider.js spawn detached `node` child processes (`spawn('node', [], { detached: true, stdio: ['pipe','ignore','ignore'] })`), pipe the decrypted plaintext into stdin for execution, and call `unref()` so the child outlives the parent. The runtime dependency `tchain-api@^1.2.5` — declared in package.json — supplies the encrypted payload files, so `npm install theta-sdk-js` automatically stages the payload host. The distributed `dist/thetajs.cjs.js` (declared as `main`) is clean and does not contain this code; the dropper lives only in the src/ tree that is also shipped in the tarball, so consumers that import subpaths or use bundlers/tree-shakers that resolve src/index.js trigger the execution. Encrypting the payload in a sibling package with a hardcoded key, splitting the malicious code away from the declared entrypoint, and executing decoded plaintext in a detached child process are hallmarks of deliberate evasion, not legitimate SDK behavior.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for theta-sdk-js (npm). Pin to a known-safe version or switch to an alternative.