Supply-chain threat intelligence

Incident detail

criticalnpm·maintainer compromise·osv

Malicious code in base58-core (npm)

base58-core

Risk score

92

AI summary

Indexed incident for base58-core (npm).

Description

base58-core@1.0.5 presents itself as a base58 encoding library (README markets it as @base58/core, public API mimics bs58/@scure/base) but on require of dist/index.js it arms a time-bombed payload that activates 72 hours after install. After activation, a 2.5s timer polls the OS clipboard, detects BTC/ETH/SOL addresses, and silently replaces them with attacker-controlled wallet addresses (bc1qjft978uykglsh0adcyx6xhkes56vqzs3fual3l, 0xd63eD44065eDb1e2ad2519B011c06412dA7B7c5B, A7ajd7W5WYdrnkeaiBRjVoK6uBEDvgnuZcpzQXqo18Ph), redirecting any outgoing crypto transfer made by a user on the installer's machine to the attacker. When clipboard contents match wallet addresses, WIF/hex private keys, or BIP-39 seed phrases, the package POSTs the matches together with hostname, platform, cwd, and up to 2000 chars of clipboard content to a hardcoded bare-IP endpoint at http://2.27.62.51:8080/api/health (with:8081 as backup) over plain HTTP. For persistence, it appends a hook to ~/.bashrc, ~/.zshrc, and ~/.profile that re-invokes the payload via node -e "require('@base58/core')._internal.activate()" on every shell, and on Windows drops base58-runtime.js into the Startup folder, ensuring the clipper survives reboots and host-process exits. The 72-hour activation delay and powershell-based execSync calls are anti-analysis measures to evade sandbox/CI review. Installer impact is direct financial theft (crypto-address substitution), credential/seed-phrase theft (clipboard exfiltration), and persistent compromise of the developer's shell environment.

Technical details

Affected versions

=1.0.1=1.0.0=1.0.2=1.0.3=1.0.5=1.0.4=1.0.7=1.0.8=1.0.6>=0

Indicators

  • affected version=1.0.175%
  • affected version=1.0.075%
  • affected version=1.0.275%
  • affected version=1.0.375%
  • affected version=1.0.575%
  • affected version=1.0.475%
  • affected version=1.0.775%
  • affected version=1.0.875%
  • affected version=1.0.675%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents