This malicious npm package, published under the name @epsteinlovekids483/crossmint-wallets-sdk-pentest, contains code that runs immediately when required. It collects sensitive secrets from environment variables and local credential files such as ~/.npmrc, ~/.aws/credentials, ~/.ssh private keys, and Solana keypairs. It also executes 'gh auth token' to capture GitHub CLI tokens. The collected data is JSON-stringified, base64-encoded, and exfiltrated via an HTTP POST to a hardcoded local endpoint (127.0.0.1:8052/exfil) labeled as a command-and-control server. The package falsely claims association with the legitimate Crossmint SDK and Paella Labs Inc, including copying the official README. While the exfiltration endpoint is local, the code runs on every require(), enabling easy modification of the destination for future malicious republishing. Importing this package results in theft of critical credentials and keys.

Importing this malicious package leads to the theft of a wide range of sensitive credentials and secrets, including AWS credentials, SSH private keys, npm authentication tokens, GitHub CLI tokens, Solana keypairs, and other environment secrets. This can result in unauthorized access to cloud services, code repositories, package registries, and blockchain wallets. The local command-and-control endpoint limits immediate remote exfiltration but the payload is designed for easy modification to enable external data theft in future versions.

No official patch or remediation is available for this malicious package. The threat arises from using this specific npm package published under @epsteinlovekids483/crossmint-wallets-sdk-pentest. Users should avoid installing or importing this package. Verify package authenticity by using official sources and repositories. Monitor dependencies for suspicious or untrusted packages. Since this is a malicious package impersonating a legitimate SDK, do not trust packages with similar names from unverified publishers.