VDB
KO

MAL-2026-10413

Malicious code in eth-base (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bcc98bc680f3d0b8c6dcf396d9f2425a5153658259014384cedf82698413755b) The published lib/index.js contains ~60KB of obfuscated JavaScript appended after a copy of the legitimate web3.js web3-core-subscriptions module. On require(), the appended IIFE loads axios, issues an HTTPS request to a URL reconstructed at runtime from custom base-85 alphabets, and on a specific response constructs `new Function('require', <remote-token>)(require)` to execute attacker-supplied JavaScript in-process with full Node require access. The corresponding src/index.js is the clean upstream module, indicating the payload was injected only into the shipped build. The package name and description impersonate a web3.js helper (LGPL header still credits Fabian Vogelsteller <fabian@ethereum.org>) while the repository field is empty. Consumers who require this package receive arbitrary code execution on the installing host at load time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / eth-base

No fixed version published yet for eth-base (npm). Pin to a known-safe version or switch to an alternative.

References