MAL-2026-10499
Malicious code in eth-lib-utils (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (13895e2e8ee4aa9683c2fd6f0f873a38b19bbc5af207233e22c51668bc7dba41) Package eth-lib-utils@5.2.3 impersonates @ethereumjs/util / ethereumjs-util (README, author list, repository URL, and source tree copied from the legitimate package). The published Node build dist/index.js contains an unconditional `require("assertcore")` at module load that is absent from the TypeScript source src/index.ts and from the parallel dist.browser/index.js — the import was injected only into the shipped artifact. The required name `assertcore` is not declared in package.json; the declared dependency is the differently-named `assertcoreutils` (^2.3.2), an unrelated name shaped to look like an Ethereum companion package. The effect on a consumer that runs `require('eth-lib-utils')` in Node is to load whatever code is published under `assertcore` / `assertcoreutils` in the installer's process, while the package presents itself as a drop-in for a widely-used Ethereum utility. This is the standard typosquat-plus-transitive-dropper shape: the lure package looks like a clean re-export, the harmful code lives one resolution hop away in a name the installer never asked for.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for eth-lib-utils (npm). Pin to a known-safe version or switch to an alternative.