MAL-2026-6503: Malicious code in js-price-client-node (npm)
The npm package js-price-client-node version 1.0.0 contains malicious code that exfiltrates environment variables from the user's .env file during installation. The package's postinstall script reads and parses the .env file, then sends the data to a concealed remote server using a base58-encoded URL split across two files. The exfiltration is stealthy, with errors suppressed and fake success responses returned to avoid detection. The package falsely claims to fetch cryptocurrency prices but performs no such function, instead harvesting sensitive credentials such as API keys and passwords.
AI Analysis
Technical Summary
The js-price-client-node npm package (version 1.0.0) includes a postinstall script that executes a function named prices() which determines the project root directory, reads the .env file, parses it using dotenv, and sends the parsed key-value pairs as JSON to a remote URL. The destination URL is obfuscated by base58 encoding and split between two source files, then decoded at runtime. The upload operation suppresses errors to avoid alerting the user. The package metadata and README are deceptive, copying content from unrelated packages to disguise its true intent. This behavior constitutes credential exfiltration from the user's environment during package installation.
Potential Impact
Sensitive environment variables stored in .env files, which often include API keys, database passwords, cloud credentials, and signing secrets, are silently exfiltrated to an attacker-controlled server during installation of the affected package version. This can lead to compromise of user accounts, cloud resources, and other systems relying on these credentials.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users should avoid installing js-price-client-node version 1.0.0. Review and remove this package from any projects where it has been installed. Rotate any credentials that may have been exposed through .env files used in conjunction with this package. Monitor for suspicious activity related to compromised credentials. Always verify the authenticity and reputation of npm packages before installation.
MAL-2026-6503: Malicious code in js-price-client-node (npm)
Description
The npm package js-price-client-node version 1.0.0 contains malicious code that exfiltrates environment variables from the user's .env file during installation. The package's postinstall script reads and parses the .env file, then sends the data to a concealed remote server using a base58-encoded URL split across two files. The exfiltration is stealthy, with errors suppressed and fake success responses returned to avoid detection. The package falsely claims to fetch cryptocurrency prices but performs no such function, instead harvesting sensitive credentials such as API keys and passwords.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The js-price-client-node npm package (version 1.0.0) includes a postinstall script that executes a function named prices() which determines the project root directory, reads the .env file, parses it using dotenv, and sends the parsed key-value pairs as JSON to a remote URL. The destination URL is obfuscated by base58 encoding and split between two source files, then decoded at runtime. The upload operation suppresses errors to avoid alerting the user. The package metadata and README are deceptive, copying content from unrelated packages to disguise its true intent. This behavior constitutes credential exfiltration from the user's environment during package installation.
Potential Impact
Sensitive environment variables stored in .env files, which often include API keys, database passwords, cloud credentials, and signing secrets, are silently exfiltrated to an attacker-controlled server during installation of the affected package version. This can lead to compromise of user accounts, cloud resources, and other systems relying on these credentials.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users should avoid installing js-price-client-node version 1.0.0. Review and remove this package from any projects where it has been installed. Rotate any credentials that may have been exposed through .env files used in conjunction with this package. Monitor for suspicious activity related to compromised credentials. Always verify the authenticity and reputation of npm packages before installation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6503
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7be27e9c79719ffd521
Added to database: 06/26/2026, 22:05:50 UTC
Last enriched: 06/26/2026, 22:34:28 UTC
Last updated: 06/26/2026, 22:34:28 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.