MAL-2026-6925: Malicious code in typescript-base58 (npm)
The typescript-base58 package version 1.0.0 on npm is a malicious package that acts as a one-line re-export of another package base58-core. It misleadingly advertises zero dependencies while actually introducing base58-core as a runtime dependency. The package itself does not perform malicious actions directly, but the risk comes from the base58-core package it depends on, which is not analyzed here. Any system with this package installed should be considered fully compromised, and all secrets and keys must be rotated immediately. Removal of the package does not guarantee full remediation due to potential persistent compromise.
AI Analysis
Technical Summary
The [email protected] npm package is a malicious package that deceptively claims to have zero dependencies but actually depends on base58-core. While typescript-base58 itself does not contain lifecycle scripts, network calls, or obfuscation, the security risk arises from the base58-core package it pulls in. According to the GHSA advisory, any system with this package installed is considered fully compromised, requiring immediate secret rotation and package removal. The package's malicious nature is confirmed by the GHSA and GCVE sources, though no detailed analysis of base58-core is provided in this record.
Potential Impact
Systems with [email protected] installed are considered fully compromised. Attackers may have gained full control over the affected computer, potentially accessing all secrets and keys stored on it. Immediate secret and key rotation from a different, uncompromised system is necessary. Removing the package alone may not eliminate all malicious software introduced by the compromise.
Mitigation Recommendations
Remove the [email protected] package immediately from all affected systems. Rotate all secrets and keys stored on the compromised systems using a secure, unaffected environment. Because full system compromise is possible, further forensic analysis and remediation may be required. No official patch or fix is available; mitigation relies on removal and secret rotation.
MAL-2026-6925: Malicious code in typescript-base58 (npm)
Description
The typescript-base58 package version 1.0.0 on npm is a malicious package that acts as a one-line re-export of another package base58-core. It misleadingly advertises zero dependencies while actually introducing base58-core as a runtime dependency. The package itself does not perform malicious actions directly, but the risk comes from the base58-core package it depends on, which is not analyzed here. Any system with this package installed should be considered fully compromised, and all secrets and keys must be rotated immediately. Removal of the package does not guarantee full remediation due to potential persistent compromise.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The [email protected] npm package is a malicious package that deceptively claims to have zero dependencies but actually depends on base58-core. While typescript-base58 itself does not contain lifecycle scripts, network calls, or obfuscation, the security risk arises from the base58-core package it pulls in. According to the GHSA advisory, any system with this package installed is considered fully compromised, requiring immediate secret rotation and package removal. The package's malicious nature is confirmed by the GHSA and GCVE sources, though no detailed analysis of base58-core is provided in this record.
Potential Impact
Systems with [email protected] installed are considered fully compromised. Attackers may have gained full control over the affected computer, potentially accessing all secrets and keys stored on it. Immediate secret and key rotation from a different, uncompromised system is necessary. Removing the package alone may not eliminate all malicious software introduced by the compromise.
Mitigation Recommendations
Remove the [email protected] package immediately from all affected systems. Rotate all secrets and keys stored on the compromised systems using a secure, unaffected environment. Because full system compromise is possible, further forensic analysis and remediation may be required. No official patch or fix is available; mitigation relies on removal and secret rotation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6925
- Osv Schema Version
- 1.7.4
- Aliases
- ["GHSA-rff8-755c-wqvw"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a4f6c3968715ace431588e7
Added to database: 07/09/2026, 09:39:05 UTC
Last enriched: 07/09/2026, 09:52:50 UTC
Last updated: 07/09/2026, 09:52:50 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.