Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10413: Malicious code in eth-base (npm)

0
Critical
Published: 07/13/2026 (07/13/2026, 06:51:45 UTC)
Source: GCVE Database
Product: eth-base

Description

The npm package 'eth-base' version 1.0.0 contains malicious code injected into its published build. The package impersonates a legitimate web3.js helper but includes about 60KB of obfuscated JavaScript that executes arbitrary attacker-supplied code with full Node.js require access upon loading. This occurs because the malicious payload loads axios, fetches remote code via a reconstructed URL, and executes it dynamically. The source code repository is empty, and the clean source code does not contain the payload, indicating the compromise is only in the published package. Consumers installing or requiring this package risk arbitrary code execution on their host.

Affected software

npmghsa
eth-base
Affected versions
=1.0.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/13/2026, 09:27:14 UTC

Technical Analysis

The 'eth-base' npm package version 1.0.0 is a malicious package that includes a large obfuscated JavaScript payload appended to a legitimate web3-core-subscriptions module. Upon requiring the package, an immediately invoked function expression (IIFE) loads the axios library to make an HTTPS request to a dynamically reconstructed URL. The response from this request is used to construct and execute a new Function with full Node.js require capabilities, allowing execution of arbitrary attacker-controlled JavaScript code in the process. The clean source code does not contain this payload, indicating the malicious code was injected only into the published build. The package name and description impersonate a known web3.js helper, but the repository field is empty, suggesting malicious intent to deceive users. This results in arbitrary code execution on the installing host at load time.

Potential Impact

Consumers who install or require 'eth-base' version 1.0.0 are subject to arbitrary code execution on their host environment. This can lead to full compromise of the system running the Node.js process, including unauthorized access to files, network, and other resources accessible via Node's require system. The malicious payload executes immediately upon loading the package, increasing the risk of compromise during installation or runtime.

Mitigation Recommendations

No official patch or remediation is currently available for this malicious package. Users should avoid installing or requiring 'eth-base' version 1.0.0 from npm. Verify package authenticity before use and prefer official, well-maintained packages from trusted sources. Since this is a malicious package impersonating a legitimate library, removing the package and scanning for any signs of compromise on affected hosts is recommended. Monitor npm advisories and vendor communications for any updates or official guidance.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10413
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a54ad9c68715ace438f3cec

Added to database: 07/13/2026, 09:19:24 UTC

Last enriched: 07/13/2026, 09:27:14 UTC

Last updated: 07/13/2026, 14:21:10 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses