MAL-2026-6689: Malicious code in decimal-format-core (npm)
The npm package 'decimal-format-core' versions 3.5.2 and 3.5.3 contains malicious code that executes during installation via a postinstall script. This script downloads and runs a second-stage infostealer payload from an attacker-controlled server, which harvests sensitive data including cryptocurrency wallets, browser cookies and credentials, SSH keys, AWS credentials, and password manager databases. The package masquerades as a legitimate logging utility to deceive users. There is no official patch or remediation guidance available at this time.
AI Analysis
Technical Summary
The 'decimal-format-core' npm package (versions 3.5.2 and 3.5.3) is part of a coordinated DeFi-themed infostealer campaign. Upon installation, its postinstall hook executes a script that fetches a JSON configuration from a malicious C2 domain, downloads a tarball containing a second-stage payload, installs it, and executes code that steals a wide range of sensitive credentials and data from the victim's environment. The fetched payload is neither pinned nor verified, allowing arbitrary remote code execution in the installer's context. The package attempts to appear legitimate by mimicking the description and keywords of a known logging library and framing the malicious fetch as an 'Enterprise sync' feature.
Potential Impact
Successful installation of the affected package versions leads to arbitrary remote code execution during npm install, resulting in exfiltration of highly sensitive information including cryptocurrency wallet vaults, browser cookies and credentials, SSH keys, AWS credentials, npm tokens, Docker configuration, shell history, and password manager databases. This compromises the confidentiality and integrity of the victim's environment and assets.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. Users should avoid installing 'decimal-format-core' versions 3.5.2 and 3.5.3. Verify package authenticity before installation, prefer well-known and trusted packages, and monitor for suspicious postinstall scripts. Since this is a malicious package rather than a vulnerability in legitimate software, removal and replacement with trusted alternatives is recommended. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.
MAL-2026-6689: Malicious code in decimal-format-core (npm)
Description
The npm package 'decimal-format-core' versions 3.5.2 and 3.5.3 contains malicious code that executes during installation via a postinstall script. This script downloads and runs a second-stage infostealer payload from an attacker-controlled server, which harvests sensitive data including cryptocurrency wallets, browser cookies and credentials, SSH keys, AWS credentials, and password manager databases. The package masquerades as a legitimate logging utility to deceive users. There is no official patch or remediation guidance available at this time.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'decimal-format-core' npm package (versions 3.5.2 and 3.5.3) is part of a coordinated DeFi-themed infostealer campaign. Upon installation, its postinstall hook executes a script that fetches a JSON configuration from a malicious C2 domain, downloads a tarball containing a second-stage payload, installs it, and executes code that steals a wide range of sensitive credentials and data from the victim's environment. The fetched payload is neither pinned nor verified, allowing arbitrary remote code execution in the installer's context. The package attempts to appear legitimate by mimicking the description and keywords of a known logging library and framing the malicious fetch as an 'Enterprise sync' feature.
Potential Impact
Successful installation of the affected package versions leads to arbitrary remote code execution during npm install, resulting in exfiltration of highly sensitive information including cryptocurrency wallet vaults, browser cookies and credentials, SSH keys, AWS credentials, npm tokens, Docker configuration, shell history, and password manager databases. This compromises the confidentiality and integrity of the victim's environment and assets.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. Users should avoid installing 'decimal-format-core' versions 3.5.2 and 3.5.3. Verify package authenticity before installation, prefer well-known and trusted packages, and monitor for suspicious postinstall scripts. Since this is a malicious package rather than a vulnerability in legitimate software, removal and replacement with trusted alternatives is recommended. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6689
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a4452d327e9c797198dfd6d
Added to database: 06/30/2026, 23:35:47 UTC
Last enriched: 06/30/2026, 23:39:57 UTC
Last updated: 06/30/2026, 23:39:57 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.