MAL-2026-6545: Malicious code in crossmint-wallets-sdk (npm)
The crossmint-wallets-sdk npm package version 1.0.0 is a malicious package impersonating a legitimate wallet SDK. It contains preinstall and index scripts that execute automatically during installation, collecting host identifiers and exfiltrating them to a hardcoded external server. This behavior allows attackers to perform reconnaissance and potentially gain control over the affected system. Systems with this package installed should be considered fully compromised, and all secrets and keys must be rotated from a secure environment. Removal of the package alone does not guarantee eradication of all malicious components.
AI Analysis
Technical Summary
The crossmint-wallets-sdk package version 1.0.0 is a typosquatting malicious npm package that executes code during the npm install preinstall lifecycle event. It imports child_process, reads the hostname of the host machine, and sends this information via HTTPS POST to a hardcoded external endpoint. This exfiltration occurs before any user code runs, enabling credential and reconnaissance data theft from developers or build systems installing the package. Due to the nature of this attack, any system with this package installed is considered fully compromised.
Potential Impact
Installation of this malicious package leads to immediate exfiltration of host identifiers to an attacker-controlled server. This compromises the confidentiality of the host environment and may allow attackers to gain further access or control. The compromise is severe enough that all secrets and keys on the affected system should be considered exposed and require immediate rotation. The presence of this package indicates a full system compromise with potential persistence beyond package removal.
Mitigation Recommendations
There is no official patch or fix available for this malicious package. The affected package version is 1.0.0 and should be removed immediately. Systems with this package installed must be treated as fully compromised. All secrets, credentials, and keys stored on the affected system should be rotated from a different, secure machine. Additional forensic analysis and remediation may be necessary to ensure complete removal of any backdoors or malware installed as a result of this package.
MAL-2026-6545: Malicious code in crossmint-wallets-sdk (npm)
Description
The crossmint-wallets-sdk npm package version 1.0.0 is a malicious package impersonating a legitimate wallet SDK. It contains preinstall and index scripts that execute automatically during installation, collecting host identifiers and exfiltrating them to a hardcoded external server. This behavior allows attackers to perform reconnaissance and potentially gain control over the affected system. Systems with this package installed should be considered fully compromised, and all secrets and keys must be rotated from a secure environment. Removal of the package alone does not guarantee eradication of all malicious components.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The crossmint-wallets-sdk package version 1.0.0 is a typosquatting malicious npm package that executes code during the npm install preinstall lifecycle event. It imports child_process, reads the hostname of the host machine, and sends this information via HTTPS POST to a hardcoded external endpoint. This exfiltration occurs before any user code runs, enabling credential and reconnaissance data theft from developers or build systems installing the package. Due to the nature of this attack, any system with this package installed is considered fully compromised.
Potential Impact
Installation of this malicious package leads to immediate exfiltration of host identifiers to an attacker-controlled server. This compromises the confidentiality of the host environment and may allow attackers to gain further access or control. The compromise is severe enough that all secrets and keys on the affected system should be considered exposed and require immediate rotation. The presence of this package indicates a full system compromise with potential persistence beyond package removal.
Mitigation Recommendations
There is no official patch or fix available for this malicious package. The affected package version is 1.0.0 and should be removed immediately. Systems with this package installed must be treated as fully compromised. All secrets, credentials, and keys stored on the affected system should be rotated from a different, secure machine. Additional forensic analysis and remediation may be necessary to ensure complete removal of any backdoors or malware installed as a result of this package.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6545
- Osv Schema Version
- 1.7.4
- Aliases
- ["GHSA-7rfm-v32j-2583"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed7d27e9c79719939cf9
Added to database: 06/29/2026, 22:11:09 UTC
Last enriched: 06/29/2026, 22:43:15 UTC
Last updated: 06/30/2026, 00:55:55 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.