VDB
EN

MAL-2026-10608

Malicious code in chain-sdk-js (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (26a55087b41c67e97ba4392519ae3253cea57d313c7771503c769a0effcfcf59) chain-sdk-js@1.0.3 publishes itself as a JavaScript SDK for the Theta Blockchain and mimics the legitimate @thetalabs/theta-js project, including reproducing its source tree and shipping dist bundles named thetajs.cjs.js and thetajs.umd.js. The dist entry points (dist/chain-sdk-js.cjs.js and its ESM/UMD siblings, plus the thetajs.* variants) contain top-level loader code that runs on require()/import: it reads two encrypted blobs (rsa.db and des.db) from the sibling runtime dependency `thedata` at node_modules/thedata/apps/docs/app/, DES-decrypts them with the hardcoded password 'hydra', spawns a child `node` process via child_process.spawn('node', []), and writes the decrypted content into that process's stdin. This executes attacker-controlled, opaque code on the installer's machine as soon as the module is loaded. The loader is absent from src/index.js's import graph, indicating it was injected only into the built bundles. The companion package `thedata` exists solely to host the encrypted payload, splitting the attack across two npm packages to evade single-package scanners.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / chain-sdk-js

No fixed version published yet for chain-sdk-js (npm). Pin to a known-safe version or switch to an alternative.

참고