Supply-chain threat intelligence

Incident detail

criticalnpm·typosquatting·osv

Malicious code in thirdwebb (npm)

thirdwebb

Risk score

92

AI summary

Indexed incident for thirdwebb (npm).

Description

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. thirdwebb is a typosquat of the legitimate thirdweb package. It uses a side-loader technique, pulling in log-taker as a transitive dependency; the infostealer runs automatically via that dependency's postinstall hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, .npmrc tokens, Docker config, shell history, and password manager databases, exfiltrating all data to the C2 domain log-taker.store.

Technical details

Affected versions

>=0

Indicators

  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents