MAL-2026-10637: Malicious code in mc-reg (npm)
The mc-reg npm package masquerades as a Cosmos chain-registry data package but instead imports a malicious dependency, chain-sdk-js, which contains code to intercept and exfiltrate wallet secrets such as BIP-39 mnemonics and private keys. The malicious code sends these secrets to a hardcoded external host without user configuration. The mc-reg package itself acts as a lure to introduce this malicious code into consumers' dependency trees. Versions 1.0.3 and 1.0.4 of mc-reg are affected.
AI Analysis
Technical Summary
The mc-reg package advertises itself as a legitimate Cosmos chain-registry data package but does not expose the expected data. Instead, its main and ESM entrypoints import and re-export a component from the unrelated chain-sdk-js package. This dependency contains malicious code in persistence/chain.js that intercepts wallet secrets and exfiltrates them via POST requests to a hardcoded destination reconstructed from character codes. This behavior matches theft of BIP-39 mnemonic phrases and private keys from wallet or signing paths. Thus, installing or importing mc-reg results in the inadvertent inclusion of malicious code that compromises wallet security.
Potential Impact
Users who install or import mc-reg versions 1.0.3 or 1.0.4 risk having their wallet secrets, including mnemonic phrases and private keys, intercepted and sent to an attacker-controlled host. This can lead to complete compromise of cryptocurrency wallets and loss of funds. The package acts as a supply chain attack vector by masquerading as a benign data package while delivering malicious code.
Mitigation Recommendations
No official patch or remediation is currently documented for mc-reg. Users should avoid installing or importing mc-reg versions 1.0.3 and 1.0.4. Audit dependency trees for inclusion of mc-reg or chain-sdk-js and remove these packages if found. Monitor vendor advisories for updates or fixes. Since this is a malicious package, consider using trusted package sources and supply chain security tools to detect such threats.
MAL-2026-10637: Malicious code in mc-reg (npm)
Description
The mc-reg npm package masquerades as a Cosmos chain-registry data package but instead imports a malicious dependency, chain-sdk-js, which contains code to intercept and exfiltrate wallet secrets such as BIP-39 mnemonics and private keys. The malicious code sends these secrets to a hardcoded external host without user configuration. The mc-reg package itself acts as a lure to introduce this malicious code into consumers' dependency trees. Versions 1.0.3 and 1.0.4 of mc-reg are affected.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The mc-reg package advertises itself as a legitimate Cosmos chain-registry data package but does not expose the expected data. Instead, its main and ESM entrypoints import and re-export a component from the unrelated chain-sdk-js package. This dependency contains malicious code in persistence/chain.js that intercepts wallet secrets and exfiltrates them via POST requests to a hardcoded destination reconstructed from character codes. This behavior matches theft of BIP-39 mnemonic phrases and private keys from wallet or signing paths. Thus, installing or importing mc-reg results in the inadvertent inclusion of malicious code that compromises wallet security.
Potential Impact
Users who install or import mc-reg versions 1.0.3 or 1.0.4 risk having their wallet secrets, including mnemonic phrases and private keys, intercepted and sent to an attacker-controlled host. This can lead to complete compromise of cryptocurrency wallets and loss of funds. The package acts as a supply chain attack vector by masquerading as a benign data package while delivering malicious code.
Mitigation Recommendations
No official patch or remediation is currently documented for mc-reg. Users should avoid installing or importing mc-reg versions 1.0.3 and 1.0.4. Audit dependency trees for inclusion of mc-reg or chain-sdk-js and remove these packages if found. Monitor vendor advisories for updates or fixes. Since this is a malicious package, consider using trusted package sources and supply chain security tools to detect such threats.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10637
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a577ef668715ace43b41c5e
Added to database: 07/15/2026, 12:37:10 UTC
Last enriched: 07/15/2026, 12:57:56 UTC
Last updated: 07/16/2026, 03:33:31 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.