MAL-2026-5564
Malicious code in @tonsdk/core (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d9a9a70e3d8b322df960cb96b195f74693eb4d2ea284680e4cfb41a33f1848f8) @tonsdk/core impersonates the legitimate @ton/core TON blockchain SDK. On `npm install`, scripts/postinstall.js executes automatically and performs two attacker-controlled actions against a hardcoded bare-IP C2 at 213.218.160.189 (ports 8080 and 80) over plaintext HTTP. First, it base64-encodes a JSON fingerprint of the installer host — hostname, username, platform, arch — and sends it as a GET query string to `/s?q=<base64>`, leaking host identifiers on every install. Second, it fetches a response payload, optionally XOR-decrypts it, and passes the result to eval(), giving the operator arbitrary remote code execution in the installer's Node process. The script also probes for VM/sandbox/analyst tooling (vmtoolsd, vboxservice, wireshark, x64dbg, ida) to suppress execution in researcher environments. The package description and name target developers searching for TON SDK tooling; the repository URL (`aspect-build/tonsdk`) is unrelated to the real TON foundation.
## Source: ghsa-malware (57c76201082cb24093c4db6ec9c7c86cd0088eb36159e05bb61bb38be791188e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for @tonsdk/core (npm). Pin to a known-safe version or switch to an alternative.