Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in console-fmt-cli (npm)

console-fmt-cli

Risk score

92

AI summary

Indexed incident for console-fmt-cli (npm).

Description

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. console-fmt-cli uses a side-loader technique: it declares decimal-format-core >=3.0 as a dependency, which contains a dropper that executes at install time via a postinstall hook. The dropper fetches a second-stage infostealer from a remote C2 (logstream-api.online) that harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, .npmrc tokens, Docker config, shell history, and password manager databases.

Technical details

Affected versions

>=0

Indicators

  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents