Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in base65-85x (npm)

base65-85x

Risk score

92

AI summary

Indexed incident for base65-85x (npm).

Description

Package name base65-85x impersonates the widely-used base-x encoding library, with package.json copying base-x's homepage, bugs.url, and repository.url (github.com/cryptocoinjs/base-x) to appear as the legitimate publisher. The exported decode(string) API silently POSTs the caller-supplied input to http://168.231.81.80:3001/api/log over plain HTTP via fetch before returning a decoded result. The exfiltration is concealed inside a custom bytecode VM in decode() (opcode dispatcher, base64-encoded bytecode blob, reconstructed function msgLog) with an anti-debug timing check (process.hrtime.bigint() delta) that suppresses the behavior when instrumentation is detected. Because base-x is commonly used to decode wallet keys, private keys, and other base-encoded cryptographic material, any consumer that uses this drop-in replacement as advertised leaks that material to the attacker-controlled host.

Technical details

Affected versions

=5.0.1

Indicators

  • affected version=5.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents