MAL-2026-5528

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9dec390f61d4b2205b07cb0dae6c7be308ebf5c95a9167341b1ee6bfca485608) Typosquat of the legitimate `events` package. A trigger injected into events.js emit() spawns a hidden loader (tests/galas-emit.min.js) when an emitted event has args[0].eventId === 'eventId0'. The loader loads a 760KB ethers-based wallet stealer (tests/galas.min.js; 108 mnemonic / 62 privateKey refs), exfiltrates a host report over Telegram and Slack, and uses a Slack channel + an Ethereum Sepolia smart contract as bidirectional C2. The linked GitHub repo (EVENTS-RUNTIME/events-runtime) is a clean decoy; the published npm tarball diverges from it (injected emit block + payload files absent from the repo). No install scripts (runtime-triggered). Validated by static analysis and contained dynamic detonation.

Network IoCs: - Telegram bot 8961878831:AAG4WTbRUcbXI5UCaN4VXK8k57ghqqkg_qI, chat_id -1003952553968 - Slack token xoxb-11307403103236-11289767127959-yV5qQADdFGCI8oxsZTr8FJHk; channels C0B8XPGCKQS (exfil), C0B8GEPFMK9 (command) - RPC https://eth-sepolia.g.alchemy.com/v2/0E6xblLeXLnZSnn280R-O ; contract 0xc0445F1b679DC46280A0f03F451bdf613b5A0feA (Sepolia), selector 0x51e3adc0 File IoCs: tests/galas.min.js, tests/galas-emit.min.js, tests/errors.min.js Trigger: emit() with args[0].eventId === 'eventId0'