The base58-core npm package contains a time-delayed malicious payload that activates 72 hours after first import to evade detection. Once active, it continuously polls the clipboard every 2.5 seconds to detect Bitcoin, Ethereum, and Solana addresses and silently replaces them with attacker wallet addresses. It also captures clipboard contents matching private keys and seed phrases, along with host metadata, and exfiltrates this data in plaintext to a hardcoded command and control server. The malware establishes persistence by modifying shell startup scripts on Unix-like systems and placing a loader script in the Windows Startup folder. It uses PowerShell commands for clipboard access on Windows. The package name mimics legitimate base58 libraries, indicating namespace abuse aimed at crypto developers.

This malicious package compromises the confidentiality and integrity of cryptocurrency transactions by redirecting funds to attacker wallets and stealing private keys and seed phrases. It also compromises host security by establishing persistence mechanisms that survive package removal and system reboots. The attack specifically targets developers handling cryptocurrency addresses and keys, potentially leading to significant financial loss and system compromise.

No official patch or remediation is currently available for this malicious package. Users should immediately remove base58-core versions 1.0.0, 1.0.1, 1.0.2, and 1.0.3 from their projects and systems. Review and clean shell startup scripts (~/.bashrc, ~/.zshrc, ~/.profile) and Windows Startup folders for unauthorized entries related to base58-core or base58-runtime.js. Avoid using untrusted or impersonating npm packages, especially those mimicking well-known libraries. Monitor for suspicious clipboard activity and network connections to the indicated C2 IP addresses. Patch status is not yet confirmed — check vendor or repository advisories for updates.