VDB
KO

MAL-2026-10637

Malicious code in mc-reg (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (93ca15954536abe30ea5c7f5bc5a06192f3946c98d74edef9d90edbc52cb9d95) mc-reg advertises itself as a Cosmos chain-registry data package (README shows chain-registry-style `assets`/`chains`/`ibc` API), but its main and ESM entrypoints do not expose that data. Instead, index.js lazy-imports and re-exports `PartnerVaultHttpProvider` from an unrelated runtime dependency `chain-sdk-js`, and esm/index.js statically imports it — so `require('mc-reg')` or `import { chains } from 'mc-reg'` transparently pulls chain-sdk-js into the consumer's dependency tree. The pulled dependency's `persistence/chain.js` contains a wallet-secret interception + exfiltration pattern: a hardcoded destination reconstructed from a char-code array (`ping`/`ping`/`ping` decode-and-join sequence at lines 320-322 / 322-324) and POST calls (lines 118/204 and 120/206) that ship data to a non-caller-configured host, matching the shape of BIP-39 mnemonic / private-key theft from a wallet/signing path. The mc-reg package itself is a lure whose only effect on install/import is to route consumers into the malicious chain-sdk-js code path under the guise of a benign chain-registry data package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / mc-reg

No fixed version published yet for mc-reg (npm). Pin to a known-safe version or switch to an alternative.

References