VDB
KO

MAL-2026-10606

Malicious code in base58-utils (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ba5517883cb10a7c76e95fdf21a4ffce21c13fe1ca42fafc13f5adb021599772) The package's index.js contains multiple Buffer.from(...) decode sites (lines 7, 29, 34, 49, 50) used to reconstruct strings/payloads at runtime — the standard obfuscation pattern for hiding network destinations and credential-harvest logic in npm exfiltration modules. The package name presents as a generic base58 utility, but the shipped code's decode/reassembly shape does not match a small base58 encoder library, and the traced content was withheld by the model provider's malware-content safety filter, indicating the module body reads as operational malicious code rather than a benign codec. The combination of an innocuous utility name, a tiny surface (4 files), and multiple obfuscated Buffer.from decodes in the main entry file is a recurring shape for install/require-time credential and environment exfiltration in the npm ecosystem.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / base58-utils

No fixed version published yet for base58-utils (npm). Pin to a known-safe version or switch to an alternative.

References