MAL-2026-6690: Malicious code in log-taker1 (npm)
The npm package log-taker1 version 0.1.0 contains embedded malicious code acting as an infostealer. It executes at install time and harvests sensitive data including cryptocurrency wallet vaults, browser cookies, credentials, SSH keys, AWS credentials, npm tokens, Docker configs, shell history, and password manager databases. The stolen data is exfiltrated to a command-and-control domain log-taker.store. The package uses shell commands to collect shell history, which often contains sensitive credentials. This package is part of a coordinated DeFi-themed infostealer campaign.
AI Analysis
Technical Summary
[email protected] is a malicious npm package embedding approximately 2800 lines of infostealer code directly in its index.js file. It executes this payload at install time via a postinstall script that runs node test.js. The payload targets a wide range of sensitive information including cryptocurrency wallets (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies, credentials, SSH keys, AWS credentials, .npmrc tokens, Docker configuration files, shell history, and password manager databases. The harvested data is exfiltrated to the C2 domain log-taker.store, which is linked to the maintainer account rohmat2527. The package uses child_process execSync calls to run bash and zsh commands to collect shell history, confirming its intent to steal credentials. The malicious nature was confirmed by malware detection filters.
Potential Impact
Successful installation of [email protected] results in theft of extensive sensitive data including cryptocurrency wallets, authentication credentials, cloud service keys, and local environment secrets. This can lead to unauthorized access to user accounts, financial theft, and compromise of development and deployment environments. The exfiltration to a remote C2 domain enables attackers to collect stolen data remotely, facilitating further exploitation.
Mitigation Recommendations
No official patch or remediation is available for [email protected]. Users and organizations should avoid installing or using this package. Remove any installations of [email protected] immediately. Review systems for signs of compromise, especially focusing on exposed credentials and secrets. Rotate any potentially exposed credentials, keys, and tokens. Monitor for suspicious network connections to the domain log-taker.store. Use trusted package sources and verify package integrity before installation.
MAL-2026-6690: Malicious code in log-taker1 (npm)
Description
The npm package log-taker1 version 0.1.0 contains embedded malicious code acting as an infostealer. It executes at install time and harvests sensitive data including cryptocurrency wallet vaults, browser cookies, credentials, SSH keys, AWS credentials, npm tokens, Docker configs, shell history, and password manager databases. The stolen data is exfiltrated to a command-and-control domain log-taker.store. The package uses shell commands to collect shell history, which often contains sensitive credentials. This package is part of a coordinated DeFi-themed infostealer campaign.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
[email protected] is a malicious npm package embedding approximately 2800 lines of infostealer code directly in its index.js file. It executes this payload at install time via a postinstall script that runs node test.js. The payload targets a wide range of sensitive information including cryptocurrency wallets (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies, credentials, SSH keys, AWS credentials, .npmrc tokens, Docker configuration files, shell history, and password manager databases. The harvested data is exfiltrated to the C2 domain log-taker.store, which is linked to the maintainer account rohmat2527. The package uses child_process execSync calls to run bash and zsh commands to collect shell history, confirming its intent to steal credentials. The malicious nature was confirmed by malware detection filters.
Potential Impact
Successful installation of [email protected] results in theft of extensive sensitive data including cryptocurrency wallets, authentication credentials, cloud service keys, and local environment secrets. This can lead to unauthorized access to user accounts, financial theft, and compromise of development and deployment environments. The exfiltration to a remote C2 domain enables attackers to collect stolen data remotely, facilitating further exploitation.
Mitigation Recommendations
No official patch or remediation is available for [email protected]. Users and organizations should avoid installing or using this package. Remove any installations of [email protected] immediately. Review systems for signs of compromise, especially focusing on exposed credentials and secrets. Rotate any potentially exposed credentials, keys, and tokens. Monitor for suspicious network connections to the domain log-taker.store. Use trusted package sources and verify package integrity before installation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6690
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a46ed1627e9c7971944735b
Added to database: 07/02/2026, 22:58:30 UTC
Last enriched: 07/02/2026, 23:36:21 UTC
Last updated: 07/03/2026, 10:51:10 UTC
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.