MAL-2026-10572: Malicious code in eth-wallet-helpers (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (517d465272a3a1d252e83e178bb263a1ccf600b42fed6d5aa1d110b9141fc77a) On require of index.js, a delayed IIFE reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached under Node. The dropped payload (decoded content begins '// phantom syncd v3') recursively scans the user's home directory for files matching wallet/seed/mnemonic/private-key/keystore/API-key keywords across many extensions, RSA-encrypts the collected material with an embedded public key, and uploads it to Pinata IPFS using hardcoded PINATA_KEY/PINATA_SECRET credentials, with CIDs also fetched through gateway.pinata.cloud, ipfs.io, and cloudflare-ipfs.com. Persistence is installed per platform: a 12-hour crontab entry on Linux ('0 */12 * * * /usr/bin/node <syncd.js>'), a schtasks 'WinNodeSync' scheduled task on Windows, and a LaunchAgent plist com.apple.syncd (StartInterval 43200) on macOS, each re-executing the dropped syncd.js. The fixture-file cover name (test/fixtures/keypairs.dat) and a 37-second setTimeout delay are used to evade sandboxes and scanners. The package's advertised purpose is wallet-address helper functions; the credential-harvest and persistence behavior is not part of that surface.
AI Analysis
Technical Summary
The eth-wallet-helpers npm package version 1.0.0 includes a delayed self-executing function that reads a base64-encoded payload from a fixture file, writes it to a hidden cache location, and executes it detached under Node.js. The payload recursively searches the user's home directory for files containing wallet, seed, mnemonic, private key, keystore, or API key data across multiple file extensions. It encrypts the collected data with an embedded RSA public key and uploads it to Pinata IPFS using hardcoded API credentials. Persistence mechanisms are installed per platform: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent plist on macOS, each running the dropped payload every 12 hours. The use of a 37-second delay and a fixture file name aims to evade sandbox and scanner detection. This malicious activity is not part of the package's stated purpose.
Potential Impact
Sensitive wallet-related credentials and keys stored on the user's system can be harvested and exfiltrated to an attacker-controlled IPFS service, potentially leading to compromise of cryptocurrency wallets or other sensitive accounts. The malware establishes persistent execution on the infected system, allowing repeated data theft over time. This compromises user confidentiality and security of wallet assets.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package version. Users should immediately uninstall eth-wallet-helpers version 1.0.0 and avoid using this package. Inspect systems for the presence of the dropped payload (~/.cache-db/.node-sync/syncd.js) and remove any persistence mechanisms such as the 12-hour crontab entry on Linux, the 'WinNodeSync' scheduled task on Windows, and the com.apple.syncd LaunchAgent on macOS. Monitor for suspicious IPFS network activity related to Pinata or other gateways. Consider restoring affected systems from known clean backups if compromise is suspected.
MAL-2026-10572: Malicious code in eth-wallet-helpers (npm)
Description
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (517d465272a3a1d252e83e178bb263a1ccf600b42fed6d5aa1d110b9141fc77a) On require of index.js, a delayed IIFE reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached under Node. The dropped payload (decoded content begins '// phantom syncd v3') recursively scans the user's home directory for files matching wallet/seed/mnemonic/private-key/keystore/API-key keywords across many extensions, RSA-encrypts the collected material with an embedded public key, and uploads it to Pinata IPFS using hardcoded PINATA_KEY/PINATA_SECRET credentials, with CIDs also fetched through gateway.pinata.cloud, ipfs.io, and cloudflare-ipfs.com. Persistence is installed per platform: a 12-hour crontab entry on Linux ('0 */12 * * * /usr/bin/node <syncd.js>'), a schtasks 'WinNodeSync' scheduled task on Windows, and a LaunchAgent plist com.apple.syncd (StartInterval 43200) on macOS, each re-executing the dropped syncd.js. The fixture-file cover name (test/fixtures/keypairs.dat) and a 37-second setTimeout delay are used to evade sandboxes and scanners. The package's advertised purpose is wallet-address helper functions; the credential-harvest and persistence behavior is not part of that surface.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The eth-wallet-helpers npm package version 1.0.0 includes a delayed self-executing function that reads a base64-encoded payload from a fixture file, writes it to a hidden cache location, and executes it detached under Node.js. The payload recursively searches the user's home directory for files containing wallet, seed, mnemonic, private key, keystore, or API key data across multiple file extensions. It encrypts the collected data with an embedded RSA public key and uploads it to Pinata IPFS using hardcoded API credentials. Persistence mechanisms are installed per platform: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent plist on macOS, each running the dropped payload every 12 hours. The use of a 37-second delay and a fixture file name aims to evade sandbox and scanner detection. This malicious activity is not part of the package's stated purpose.
Potential Impact
Sensitive wallet-related credentials and keys stored on the user's system can be harvested and exfiltrated to an attacker-controlled IPFS service, potentially leading to compromise of cryptocurrency wallets or other sensitive accounts. The malware establishes persistent execution on the infected system, allowing repeated data theft over time. This compromises user confidentiality and security of wallet assets.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package version. Users should immediately uninstall eth-wallet-helpers version 1.0.0 and avoid using this package. Inspect systems for the presence of the dropped payload (~/.cache-db/.node-sync/syncd.js) and remove any persistence mechanisms such as the 12-hour crontab entry on Linux, the 'WinNodeSync' scheduled task on Windows, and the com.apple.syncd LaunchAgent on macOS. Monitor for suspicious IPFS network activity related to Pinata or other gateways. Consider restoring affected systems from known clean backups if compromise is suspected.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10572
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a55ff5568715ace432f078e
Added to database: 07/14/2026, 09:20:21 UTC
Last enriched: 07/14/2026, 09:27:18 UTC
Last updated: 07/14/2026, 09:27:51 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.