MAL-2026-10549
Malicious code in abi-encode (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (afc61427f74a028242a032b9436c09c43b1df60fef5688aa5389ef107e899259) The package advertises ABI encoding but on require() schedules a 37-second timer that decodes test/fixtures/keypairs.dat (base64-encoded stealer, staged to look like cryptographic test data) into ~/.cache-db/.node-sync/syncd.js with mode 0700 and spawns it detached under node. Persistence is installed by appending a crontab entry (Linux) that re-runs the dropped script every 12 hours, or by registering a scheduled task named WinNodeSync (Windows). The decoded payload walks the installer's home directory for files matching wallet/seed/credential extensions and keywords (.env,.key,.keystore,.pem, seed, mnemonic, wallet, private, metamask, phantom, ledger, trezor, PRIVATE_KEY, MNEMONIC, SECRET, TOKEN), RSA-encrypts matches, and uploads them to attacker-controlled IPFS via api.pinata.cloud using an embedded Pinata API key/secret, with three hardcoded IPFS CID dead drops as fetch fallbacks. The 37-second delay, fake-fixture staging, hidden home-directory drop path, and cross-platform persistence together confirm evasive malicious intent unrelated to ABI encoding.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for abi-encode (npm). Pin to a known-safe version or switch to an alternative.