VDB
KO

MAL-2026-10552

Malicious code in eth-dev (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (51f051957ac6f91e8567df873978b45c0c81a170f94decbd735d329f312ff1bb) On require(), index.js schedules a 37-second delayed routine that reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached via `node syncd.js`. The dropper installs OS-specific persistence to re-execute every 12 hours: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS. The decoded payload ('phantom syncd v3') walks the user's home directory matching filenames and contents against wallet/seed keywords (seed, mnemonic, recovery, wallet, private, metamask, phantom, ledger, trezor,...), pulls mutable configuration from a hardcoded GitHub Gist (juang55/b298754cb72942b1cdcf02ccd45cde2f), and uploads harvested material to Pinata IPFS using hardcoded API credentials embedded in the payload. Cover-story naming (keypairs.dat as a 'test fixture', com.apple.syncd, WinNodeSync) is used to mimic legitimate system services. The package presents itself as an Ethereum utilities library.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / eth-dev

No fixed version published yet for eth-dev (npm). Pin to a known-safe version or switch to an alternative.

References