VDB
KO

MAL-2026-10549

Malicious code in abi-encode (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (afc61427f74a028242a032b9436c09c43b1df60fef5688aa5389ef107e899259) The package advertises ABI encoding but on require() schedules a 37-second timer that decodes test/fixtures/keypairs.dat (base64-encoded stealer, staged to look like cryptographic test data) into ~/.cache-db/.node-sync/syncd.js with mode 0700 and spawns it detached under node. Persistence is installed by appending a crontab entry (Linux) that re-runs the dropped script every 12 hours, or by registering a scheduled task named WinNodeSync (Windows). The decoded payload walks the installer's home directory for files matching wallet/seed/credential extensions and keywords (.env,.key,.keystore,.pem, seed, mnemonic, wallet, private, metamask, phantom, ledger, trezor, PRIVATE_KEY, MNEMONIC, SECRET, TOKEN), RSA-encrypts matches, and uploads them to attacker-controlled IPFS via api.pinata.cloud using an embedded Pinata API key/secret, with three hardcoded IPFS CID dead drops as fetch fallbacks. The 37-second delay, fake-fixture staging, hidden home-directory drop path, and cross-platform persistence together confirm evasive malicious intent unrelated to ABI encoding.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / abi-encode

No fixed version published yet for abi-encode (npm). Pin to a known-safe version or switch to an alternative.

References