Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10666: Malicious code in crypto-hasher (npm)

0
Critical
Published: 07/15/2026 (07/15/2026, 06:19:59 UTC)
Source: GCVE Database
Product: crypto-hasher

Description

The crypto-hasher npm package versions 3.1.2 and 3.1.3 contain malicious code impersonating the hash-wasm library. When hashing data containing the trigger string 'alicebob100', it silently spawns a detached child process that connects to Ethereum Sepolia RPC endpoints to retrieve encrypted data and passwords from a smart contract. It decrypts a wallet private key and exfiltrates host system information to Slack and Telegram using hardcoded tokens. A secondary component polls Slack for encrypted commands, which it decrypts, writes to disk, and executes, establishing a persistent remote code execution backdoor. An 'exitexitexit' command triggers anti-forensic actions by deleting malicious files and modifying the LICENSE file. This package compromise leads to full system compromise.

Affected software

npmghsa
crypto-hasher
Affected versions
=3.1.3=3.1.2

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/15/2026, 12:40:18 UTC

Technical Analysis

The crypto-hasher npm package versions 3.1.2 and 3.1.3 impersonate the legitimate hash-wasm library but inject malicious code into the WASM Interface update() method. When hashing data containing the trigger string 'alicebob100', it spawns a detached Node.js child process that connects to Ethereum Sepolia RPC endpoints via base64-obfuscated URLs to retrieve encrypted material and passwords from a smart contract. It performs cryptographic operations (X25519 ECDH, PBKDF2, AES-GCM) to recover a wallet private key. The malware exfiltrates host reconnaissance data (platform, release, architecture, hostname, CPUs, memory, uptime) to Slack and Telegram using hardcoded bearer tokens and chat IDs. A second component polls Slack for encrypted commands, decrypts them, writes executable files to disk, and runs them under Node.js, establishing a persistent remote code execution backdoor. An 'exitexitexit' command deletes malicious files and modifies the LICENSE file to hinder forensic analysis. The malware uses string-array rotation and base64 wrapping for obfuscation. This results in full compromise of any system running these package versions.

Potential Impact

Systems with crypto-hasher versions 3.1.2 or 3.1.3 installed or running are fully compromised. The attacker can recover wallet private keys, exfiltrate sensitive host information, and maintain persistent remote code execution access. All secrets and keys stored on the compromised system should be considered exposed and rotated immediately. Removing the package alone does not guarantee removal of all malicious artifacts or backdoors.

Mitigation Recommendations

No official patch or fix is currently available for this malicious package. Immediate removal of crypto-hasher versions 3.1.2 and 3.1.3 is strongly recommended. All secrets and cryptographic keys stored on affected systems should be rotated from a separate, trusted environment. Due to the persistent backdoor and anti-forensic measures, assume full system compromise and consider rebuilding the affected hosts. Monitor for any suspicious network connections to Ethereum RPC endpoints, Slack, or Telegram APIs. Patch status is not yet confirmed — check vendor advisories or trusted sources for updates.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10666
Osv Schema Version
1.7.4
Aliases
["GHSA-886f-w6pq-7w7j"]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a577ecd68715ace43b3ef50

Added to database: 07/15/2026, 12:36:29 UTC

Last enriched: 07/15/2026, 12:40:18 UTC

Last updated: 07/16/2026, 03:34:29 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses