—

MAL-2026-6690

Malicious code in log-taker1 (npm)

Details

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `log-taker1` embeds a full infostealer (~2800 lines) directly in `index.js`, executed at install time via `postinstall: node test.js`. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases, exfiltrating all data to the C2 domain `log-taker.store`. The C2 is shared with the `rohmat2527` maintainer account.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / log-taker1

Introduced in: 0

No fixed version published yet for log-taker1 (npm). Pin to a known-safe version or switch to an alternative.

References

https://safedep.io/defi-infostealer-fake-arbitrage-bot-npm/ [REPORT]