VDB
KO

MAL-2026-5361

Malicious code in web3-tools-9 (npm)

Details

**Note:** *This report is updated by a verification record*

Crypto/SSH/wallet stealer, confirmed sibling of blockchain-helper-0 (c960). postinstall scripts/postinstall.js auto-execs, src/index.js harvests ~/.ssh/id_rsa + wallet keys/seeds + env, self-labels "CRYPTO STEALER", exfils to IDENTICAL hardcoded Telegram bot 8227918239:AAGEMDrBZluDsBBYPxfSyMuv2l3FY8cZCcs chat 6433587894 (unchanged vs c960). Campaign: generic-web3-name + numeric suffix + 1.0.0.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3bcb64b097d425e6e8d30af12e00d0cc0b19d1ab29fe4c43780f6d47cf424b6d) The package was found to contain malicious code or consuming dependency that contains malicious code

## Source: ossf-package-analysis (30899b5186752df16c53009020a7fa34be43d155113d7b865bb641ada4911cf2) The OpenSSF Package Analysis project identified 'web3-tools-9' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / web3-tools-9
Introduced in: 0

No fixed version published yet for web3-tools-9 (npm). Pin to a known-safe version or switch to an alternative.

References