MAL-2026-6688

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `console-fmt-cli` uses a side-loader technique: it declares `decimal-format-core >=3.0` as a dependency, which contains a dropper that executes at install time via a `postinstall` hook. The dropper fetches a second-stage infostealer from a remote C2 (`logstream-api.online`) that harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases.