Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in ts-bn-proto (npm)

ts-bn-proto

Risk score

92

AI summary

Indexed incident for ts-bn-proto (npm).

Description

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. ts-bn-proto embeds an infostealer payload directly in index.js with a base64-encoded C2 address (data-stream.space), executed at install time via a postinstall hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates all data to the attacker-controlled C2.

Technical details

Affected versions

>=0

Indicators

  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents