Supply-chain threat intelligence
Risk score
92
Indexed incident for ts-bn-proto (npm).
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. ts-bn-proto embeds an infostealer payload directly in index.js with a base64-encoded C2 address (data-stream.space), executed at install time via a postinstall hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates all data to the attacker-controlled C2.
Affected versions
Indicators
Timeline