MAL-2026-5352
Malicious code in blockchain-helper-0 (npm)
Details
**Note:** *This report is updated by a verification record*
Crypto/SSH/wallet stealer (self-labeled "CRYPTO STEALER"). postinstall scripts/postinstall.js auto-execs, src/index.js harvests ~/.ssh/id_rsa + wallet keys/seeds + env and exfils to hardcoded Telegram bot 8227918239:AAGEMDrBZluDsBBYPxfSyMuv2l3FY8cZCcs chat 6433587894. Auto-exec + hardcoded attacker Telegram exfil; "blockchain-helper" identity has no reason to read SSH/wallet keys.
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8b9fac34e13ad38cb702f7aad434d18aa276005fe5fa4cbe48c7eb65af26623d) The package was found to contain malicious code or consuming dependency that contains malicious code
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for blockchain-helper-0 (npm). Pin to a known-safe version or switch to an alternative.