Supply-chain threat intelligence

Incident detail

criticalnpm·typosquatting·osv

Malicious code in chain-sdk-js (npm)

chain-sdk-js

Risk score

92

AI summary

Indexed incident for chain-sdk-js (npm).

Description

chain-sdk-js is a typosquat of @thetalabs/theta-js (package name, description, author 'Theta Labs', and bundle filenames thetajs.cjs.js/thetajs.umd.js all mimic the legitimate SDK). The package's main entry, executed on require/import in cjs, esm, and umd builds, DES-decrypts an opaque blob (rsa.db) loaded from the co-installed dependency thedata (^1.0.1) using the hardcoded password 'hydra', then spawns a node child process and pipes the decrypted bytes into its stdin for execution (child_process.spawn('node', [], {...}); rsa_exec.stdin.write(String(rsaDecrypted))). Splitting the loader from the encrypted payload into a separately-published dependency (node_modules/thedata/apps/docs/app/rsa.db and des.db) hides the actual code that runs from static inspection of this tarball. The dist bundles also contain hardcoded POST/fetch call sites consistent with outbound network activity from the executed payload. Any consumer that installs and imports this package runs attacker-controlled code with the installer's privileges; the typosquat targets Theta blockchain developers who handle wallet and private-key material.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Technical details

Affected versions

=1.0.3=1.0.5=1.0.4=1.0.2=1.0.6

Indicators

  • Advisory IDs
    90%
  • affected version=1.0.375%
  • affected version=1.0.575%
  • affected version=1.0.475%
  • affected version=1.0.275%
  • affected version=1.0.675%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents