Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10572: Malicious code in eth-wallet-helpers (npm)

0
Critical
Published: 07/14/2026 (07/14/2026, 05:57:40 UTC)
Source: GCVE Database
Product: eth-wallet-helpers

Description

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (517d465272a3a1d252e83e178bb263a1ccf600b42fed6d5aa1d110b9141fc77a) On require of index.js, a delayed IIFE reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached under Node. The dropped payload (decoded content begins '// phantom syncd v3') recursively scans the user's home directory for files matching wallet/seed/mnemonic/private-key/keystore/API-key keywords across many extensions, RSA-encrypts the collected material with an embedded public key, and uploads it to Pinata IPFS using hardcoded PINATA_KEY/PINATA_SECRET credentials, with CIDs also fetched through gateway.pinata.cloud, ipfs.io, and cloudflare-ipfs.com. Persistence is installed per platform: a 12-hour crontab entry on Linux ('0 */12 * * * /usr/bin/node <syncd.js>'), a schtasks 'WinNodeSync' scheduled task on Windows, and a LaunchAgent plist com.apple.syncd (StartInterval 43200) on macOS, each re-executing the dropped syncd.js. The fixture-file cover name (test/fixtures/keypairs.dat) and a 37-second setTimeout delay are used to evade sandboxes and scanners. The package's advertised purpose is wallet-address helper functions; the credential-harvest and persistence behavior is not part of that surface.

Affected software

npmghsa
eth-wallet-helpers
Affected versions
=1.0.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 09:27:18 UTC

Technical Analysis

The eth-wallet-helpers npm package version 1.0.0 includes a delayed self-executing function that reads a base64-encoded payload from a fixture file, writes it to a hidden cache location, and executes it detached under Node.js. The payload recursively searches the user's home directory for files containing wallet, seed, mnemonic, private key, keystore, or API key data across multiple file extensions. It encrypts the collected data with an embedded RSA public key and uploads it to Pinata IPFS using hardcoded API credentials. Persistence mechanisms are installed per platform: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent plist on macOS, each running the dropped payload every 12 hours. The use of a 37-second delay and a fixture file name aims to evade sandbox and scanner detection. This malicious activity is not part of the package's stated purpose.

Potential Impact

Sensitive wallet-related credentials and keys stored on the user's system can be harvested and exfiltrated to an attacker-controlled IPFS service, potentially leading to compromise of cryptocurrency wallets or other sensitive accounts. The malware establishes persistent execution on the infected system, allowing repeated data theft over time. This compromises user confidentiality and security of wallet assets.

Mitigation Recommendations

No official patch or remediation is currently available for this malicious package version. Users should immediately uninstall eth-wallet-helpers version 1.0.0 and avoid using this package. Inspect systems for the presence of the dropped payload (~/.cache-db/.node-sync/syncd.js) and remove any persistence mechanisms such as the 12-hour crontab entry on Linux, the 'WinNodeSync' scheduled task on Windows, and the com.apple.syncd LaunchAgent on macOS. Monitor for suspicious IPFS network activity related to Pinata or other gateways. Consider restoring affected systems from known clean backups if compromise is suspected.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10572
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a55ff5568715ace432f078e

Added to database: 07/14/2026, 09:20:21 UTC

Last enriched: 07/14/2026, 09:27:18 UTC

Last updated: 07/14/2026, 09:27:51 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses