MAL-2026-6693

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `thirdwb` is a typosquat of the legitimate `thirdweb` package. It uses a side-loader technique, pulling in `log-taker` as a transitive dependency; the infostealer runs automatically via that dependency's `postinstall` hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases, exfiltrating all data to the C2 domain `log-taker.store`.