MAL-2026-10413: Malicious code in eth-base (npm)
The npm package 'eth-base' version 1.0.0 contains malicious code injected into its published build. The package impersonates a legitimate web3.js helper but includes about 60KB of obfuscated JavaScript that executes arbitrary attacker-supplied code with full Node.js require access upon loading. This occurs because the malicious payload loads axios, fetches remote code via a reconstructed URL, and executes it dynamically. The source code repository is empty, and the clean source code does not contain the payload, indicating the compromise is only in the published package. Consumers installing or requiring this package risk arbitrary code execution on their host.
AI Analysis
Technical Summary
The 'eth-base' npm package version 1.0.0 is a malicious package that includes a large obfuscated JavaScript payload appended to a legitimate web3-core-subscriptions module. Upon requiring the package, an immediately invoked function expression (IIFE) loads the axios library to make an HTTPS request to a dynamically reconstructed URL. The response from this request is used to construct and execute a new Function with full Node.js require capabilities, allowing execution of arbitrary attacker-controlled JavaScript code in the process. The clean source code does not contain this payload, indicating the malicious code was injected only into the published build. The package name and description impersonate a known web3.js helper, but the repository field is empty, suggesting malicious intent to deceive users. This results in arbitrary code execution on the installing host at load time.
Potential Impact
Consumers who install or require 'eth-base' version 1.0.0 are subject to arbitrary code execution on their host environment. This can lead to full compromise of the system running the Node.js process, including unauthorized access to files, network, and other resources accessible via Node's require system. The malicious payload executes immediately upon loading the package, increasing the risk of compromise during installation or runtime.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users should avoid installing or requiring 'eth-base' version 1.0.0 from npm. Verify package authenticity before use and prefer official, well-maintained packages from trusted sources. Since this is a malicious package impersonating a legitimate library, removing the package and scanning for any signs of compromise on affected hosts is recommended. Monitor npm advisories and vendor communications for any updates or official guidance.
MAL-2026-10413: Malicious code in eth-base (npm)
Description
The npm package 'eth-base' version 1.0.0 contains malicious code injected into its published build. The package impersonates a legitimate web3.js helper but includes about 60KB of obfuscated JavaScript that executes arbitrary attacker-supplied code with full Node.js require access upon loading. This occurs because the malicious payload loads axios, fetches remote code via a reconstructed URL, and executes it dynamically. The source code repository is empty, and the clean source code does not contain the payload, indicating the compromise is only in the published package. Consumers installing or requiring this package risk arbitrary code execution on their host.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'eth-base' npm package version 1.0.0 is a malicious package that includes a large obfuscated JavaScript payload appended to a legitimate web3-core-subscriptions module. Upon requiring the package, an immediately invoked function expression (IIFE) loads the axios library to make an HTTPS request to a dynamically reconstructed URL. The response from this request is used to construct and execute a new Function with full Node.js require capabilities, allowing execution of arbitrary attacker-controlled JavaScript code in the process. The clean source code does not contain this payload, indicating the malicious code was injected only into the published build. The package name and description impersonate a known web3.js helper, but the repository field is empty, suggesting malicious intent to deceive users. This results in arbitrary code execution on the installing host at load time.
Potential Impact
Consumers who install or require 'eth-base' version 1.0.0 are subject to arbitrary code execution on their host environment. This can lead to full compromise of the system running the Node.js process, including unauthorized access to files, network, and other resources accessible via Node's require system. The malicious payload executes immediately upon loading the package, increasing the risk of compromise during installation or runtime.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users should avoid installing or requiring 'eth-base' version 1.0.0 from npm. Verify package authenticity before use and prefer official, well-maintained packages from trusted sources. Since this is a malicious package impersonating a legitimate library, removing the package and scanning for any signs of compromise on affected hosts is recommended. Monitor npm advisories and vendor communications for any updates or official guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10413
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54ad9c68715ace438f3cec
Added to database: 07/13/2026, 09:19:24 UTC
Last enriched: 07/13/2026, 09:27:14 UTC
Last updated: 07/13/2026, 14:21:10 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.