MAL-2026-6704
Malicious code in base65-85x (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d94610a3e8258b4f3f141cda2ade7a2bdeafbf9f8c1a9251d72c8b0c6dd4cff0) Package name `base65-85x` impersonates the widely-used `base-x` encoding library, with `package.json` copying base-x's `homepage`, `bugs.url`, and `repository.url` (github.com/cryptocoinjs/base-x) to appear as the legitimate publisher. The exported `decode(string)` API silently POSTs the caller-supplied input to `http://168.231.81.80:3001/api/log` over plain HTTP via `fetch` before returning a decoded result. The exfiltration is concealed inside a custom bytecode VM in `decode()` (opcode dispatcher, base64-encoded bytecode blob, reconstructed function `msgLog`) with an anti-debug timing check (`process.hrtime.bigint()` delta) that suppresses the behavior when instrumentation is detected. Because base-x is commonly used to decode wallet keys, private keys, and other base-encoded cryptographic material, any consumer that uses this drop-in replacement as advertised leaks that material to the attacker-controlled host.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for base65-85x (npm). Pin to a known-safe version or switch to an alternative.