MAL-2026-10666: Malicious code in crypto-hasher (npm)
The crypto-hasher npm package versions 3.1.2 and 3.1.3 contain malicious code impersonating the hash-wasm library. When hashing data containing the trigger string 'alicebob100', it silently spawns a detached child process that connects to Ethereum Sepolia RPC endpoints to retrieve encrypted data and passwords from a smart contract. It decrypts a wallet private key and exfiltrates host system information to Slack and Telegram using hardcoded tokens. A secondary component polls Slack for encrypted commands, which it decrypts, writes to disk, and executes, establishing a persistent remote code execution backdoor. An 'exitexitexit' command triggers anti-forensic actions by deleting malicious files and modifying the LICENSE file. This package compromise leads to full system compromise.
AI Analysis
Technical Summary
The crypto-hasher npm package versions 3.1.2 and 3.1.3 impersonate the legitimate hash-wasm library but inject malicious code into the WASM Interface update() method. When hashing data containing the trigger string 'alicebob100', it spawns a detached Node.js child process that connects to Ethereum Sepolia RPC endpoints via base64-obfuscated URLs to retrieve encrypted material and passwords from a smart contract. It performs cryptographic operations (X25519 ECDH, PBKDF2, AES-GCM) to recover a wallet private key. The malware exfiltrates host reconnaissance data (platform, release, architecture, hostname, CPUs, memory, uptime) to Slack and Telegram using hardcoded bearer tokens and chat IDs. A second component polls Slack for encrypted commands, decrypts them, writes executable files to disk, and runs them under Node.js, establishing a persistent remote code execution backdoor. An 'exitexitexit' command deletes malicious files and modifies the LICENSE file to hinder forensic analysis. The malware uses string-array rotation and base64 wrapping for obfuscation. This results in full compromise of any system running these package versions.
Potential Impact
Systems with crypto-hasher versions 3.1.2 or 3.1.3 installed or running are fully compromised. The attacker can recover wallet private keys, exfiltrate sensitive host information, and maintain persistent remote code execution access. All secrets and keys stored on the compromised system should be considered exposed and rotated immediately. Removing the package alone does not guarantee removal of all malicious artifacts or backdoors.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. Immediate removal of crypto-hasher versions 3.1.2 and 3.1.3 is strongly recommended. All secrets and cryptographic keys stored on affected systems should be rotated from a separate, trusted environment. Due to the persistent backdoor and anti-forensic measures, assume full system compromise and consider rebuilding the affected hosts. Monitor for any suspicious network connections to Ethereum RPC endpoints, Slack, or Telegram APIs. Patch status is not yet confirmed — check vendor advisories or trusted sources for updates.
MAL-2026-10666: Malicious code in crypto-hasher (npm)
Description
The crypto-hasher npm package versions 3.1.2 and 3.1.3 contain malicious code impersonating the hash-wasm library. When hashing data containing the trigger string 'alicebob100', it silently spawns a detached child process that connects to Ethereum Sepolia RPC endpoints to retrieve encrypted data and passwords from a smart contract. It decrypts a wallet private key and exfiltrates host system information to Slack and Telegram using hardcoded tokens. A secondary component polls Slack for encrypted commands, which it decrypts, writes to disk, and executes, establishing a persistent remote code execution backdoor. An 'exitexitexit' command triggers anti-forensic actions by deleting malicious files and modifying the LICENSE file. This package compromise leads to full system compromise.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The crypto-hasher npm package versions 3.1.2 and 3.1.3 impersonate the legitimate hash-wasm library but inject malicious code into the WASM Interface update() method. When hashing data containing the trigger string 'alicebob100', it spawns a detached Node.js child process that connects to Ethereum Sepolia RPC endpoints via base64-obfuscated URLs to retrieve encrypted material and passwords from a smart contract. It performs cryptographic operations (X25519 ECDH, PBKDF2, AES-GCM) to recover a wallet private key. The malware exfiltrates host reconnaissance data (platform, release, architecture, hostname, CPUs, memory, uptime) to Slack and Telegram using hardcoded bearer tokens and chat IDs. A second component polls Slack for encrypted commands, decrypts them, writes executable files to disk, and runs them under Node.js, establishing a persistent remote code execution backdoor. An 'exitexitexit' command deletes malicious files and modifies the LICENSE file to hinder forensic analysis. The malware uses string-array rotation and base64 wrapping for obfuscation. This results in full compromise of any system running these package versions.
Potential Impact
Systems with crypto-hasher versions 3.1.2 or 3.1.3 installed or running are fully compromised. The attacker can recover wallet private keys, exfiltrate sensitive host information, and maintain persistent remote code execution access. All secrets and keys stored on the compromised system should be considered exposed and rotated immediately. Removing the package alone does not guarantee removal of all malicious artifacts or backdoors.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. Immediate removal of crypto-hasher versions 3.1.2 and 3.1.3 is strongly recommended. All secrets and cryptographic keys stored on affected systems should be rotated from a separate, trusted environment. Due to the persistent backdoor and anti-forensic measures, assume full system compromise and consider rebuilding the affected hosts. Monitor for any suspicious network connections to Ethereum RPC endpoints, Slack, or Telegram APIs. Patch status is not yet confirmed — check vendor advisories or trusted sources for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10666
- Osv Schema Version
- 1.7.4
- Aliases
- ["GHSA-886f-w6pq-7w7j"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a577ecd68715ace43b3ef50
Added to database: 07/15/2026, 12:36:29 UTC
Last enriched: 07/15/2026, 12:40:18 UTC
Last updated: 07/16/2026, 03:34:29 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.