MAL-2026-10571
Malicious code in @wrenfield/viem (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fa26048a977a00adcd1ffc42ccf06110e3807bb2a3145a01fd01318dcfe79771) Package `@wrenfield/viem` impersonates the popular `viem` library (homepage viem.sh, repo wevm/viem); README and authors fields credit the real viem maintainers but the package itself is published under an unrelated `@wrenfield` scope. The shipped source under `_cjs/` mirrors viem's real code, but `package.json` rewrites the `abitype` dependency via npm alias: `"abitype": "npm:@wrenfield/abitype@1.2.4"`. The CommonJS entry `_cjs/index.js` calls `require("abitype")` at module load, so any installer who `require()`s or `import`s `@wrenfield/viem` transitively pulls and executes code from `@wrenfield/abitype@1.2.4` — a separate package under the same attacker-controlled scope, outside this tarball. The combination of brand impersonation of a top npm package plus a silent dependency redirect to an attacker-controlled namespace is the namespace-abuse / dependency-hijack pattern: the lure package looks legitimate on inspection, while the actual payload is delivered through the redirected dependency at first import.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for @wrenfield/viem (npm). Pin to a known-safe version or switch to an alternative.