MAL-2026-10529
Malicious code in @wrenfield/abitype (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1d1b16f2fdde2184bdcfb6f2c91f18c328dee9aa1bb111f86d3130f47c42c9e5) Package @wrenfield/abitype impersonates the well-known wevm/abitype library: it copies the upstream README verbatim (links to abitype.dev, wevm.eth, contributors awkweb.eth and jxom.eth) and retains "repository": "wevm/abitype" in package.json, while publishing under an unrelated @wrenfield scope. Two import-reachable files in the published tarball — dist/cjs/human-readable/runtime/utils.js (line 238 onward) and dist/esm/exports/index.js (line 19 onward) — carry an obfuscator.io payload (RC4-decoded ~580-entry string array, control-flow flattening, anti-debug self-defending) appended after the legitimate abitype source. The decoded payload dynamically loads node http/https, issues a GET to a runtime-constructed remote endpoint with a custom User-Agent, follows 301/302/303/307/308 redirects, writes the response to disk, fs.chmodSync's it to 0o755, and executes the bytes via spawn(process.execPath,..., {detached:true, stdio:'ignore'}) and via spawn('sh', ['-c',...]). Because dist/cjs/human-readable/runtime/utils.js is reached through the package's main entry (parseAbiItem → utils) and the file is listed in package.json sideEffects, the downloader fires automatically on require('@wrenfield/abitype') / import. Installing or loading this package runs attacker-controlled code on the installer's machine.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @wrenfield/abitype (npm). Pin to a known-safe version or switch to an alternative.