VDB
KO

MAL-2026-5352

Malicious code in blockchain-helper-0 (npm)

Details

**Note:** *This report is updated by a verification record*

Crypto/SSH/wallet stealer (self-labeled "CRYPTO STEALER"). postinstall scripts/postinstall.js auto-execs, src/index.js harvests ~/.ssh/id_rsa + wallet keys/seeds + env and exfils to hardcoded Telegram bot 8227918239:AAGEMDrBZluDsBBYPxfSyMuv2l3FY8cZCcs chat 6433587894. Auto-exec + hardcoded attacker Telegram exfil; "blockchain-helper" identity has no reason to read SSH/wallet keys.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8b9fac34e13ad38cb702f7aad434d18aa276005fe5fa4cbe48c7eb65af26623d) The package was found to contain malicious code or consuming dependency that contains malicious code

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / blockchain-helper-0
Introduced in: 0

No fixed version published yet for blockchain-helper-0 (npm). Pin to a known-safe version or switch to an alternative.

References