—

MAL-2026-6695

Malicious code in ts-bn-proto (npm)

Details

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `ts-bn-proto` embeds an infostealer payload directly in `index.js` with a base64-encoded C2 address (`data-stream.space`), executed at install time via a `postinstall` hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates all data to the attacker-controlled C2.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ts-bn-proto

Introduced in: 0

No fixed version published yet for ts-bn-proto (npm). Pin to a known-safe version or switch to an alternative.

References

https://safedep.io/defi-infostealer-fake-arbitrage-bot-npm/ [REPORT]