mal-2026-6690
Vulnerability from ossf_malicious_packages
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. log-taker1 embeds a full infostealer (~2800 lines) directly in index.js, executed at install time via postinstall: node test.js. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, .npmrc tokens, Docker config, shell history, and password manager databases, exfiltrating all data to the C2 domain log-taker.store. The C2 is shared with the rohmat2527 maintainer account.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (1cb455347231cee7751b1f84a97c50feab599fef0df9feece7cf4d646e1f5beb)
log-taker1@0.1.0 ships an index.js that requires child_process and invokes execSync('bash...') and execSync('zsh...') to shell out at load time. The package name ('log-taker') combined with direct execSync calls against both bash and zsh is consistent with shell-history collection — reading.bash_history /.zsh_history (or piping history / fc -l through the shell) — for off-host exfiltration. Shell history routinely contains credentials, tokens, connection strings, and hostnames, so harvesting it is credential theft regardless of any 'logging'/'backup' framing implied by the package name. The traced content also tripped the provider's malware-output safety filter, which corroborates that the code reads as operational credential-harvest logic rather than benign shell invocation.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "index.js",
"sha256": "67490d46bcfdd64cec9b8c94cdb7a674ba6bb95e38e0db951fbfecc58849bdbd",
"tlsh": "f382985e25fb213281e373e4554f10167679d443360ade49778c87982fae928a2f2fec"
}
],
"package_integrity": [
{
"filename": "log-taker1-0.1.0.tgz",
"hashes": {
"sha1": "f4d2cc5af1dcf50738d618f609f8e2330f11b381",
"sha512_sri": "sha512-PxZ8veRhMS/pJIFTCMhi4sG1aVyr45TbtfX+jmD4AM0r8fGJFB0e9ogOa4YSqgzayCeBUFy+R398RfQ/VZQqKg=="
}
}
]
},
"iocs": {
"domains": [
"log-taker.store"
]
}
},
"package": {
"ecosystem": "npm",
"name": "log-taker1"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"versions": [
"0.1.0"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
},
{
"contact": [
"https://safedep.io"
],
"name": "SafeDep",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007909",
"import_time": "2026-07-01T22:02:59.292940851Z",
"modified_time": "2026-07-01T21:09:23Z",
"sha256": "1cb455347231cee7751b1f84a97c50feab599fef0df9feece7cf4d646e1f5beb",
"source": "amazon-inspector",
"versions": [
"0.1.0"
]
}
]
},
"details": "Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. `log-taker1` embeds a full infostealer (~2800 lines) directly in `index.js`, executed at install time via `postinstall: node test.js`. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, `.npmrc` tokens, Docker config, shell history, and password manager databases, exfiltrating all data to the C2 domain `log-taker.store`. The C2 is shared with the `rohmat2527` maintainer account.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1cb455347231cee7751b1f84a97c50feab599fef0df9feece7cf4d646e1f5beb)\nlog-taker1@0.1.0 ships an index.js that requires child_process and invokes execSync(\u0027bash...\u0027) and execSync(\u0027zsh...\u0027) to shell out at load time. The package name (\u0027log-taker\u0027) combined with direct execSync calls against both bash and zsh is consistent with shell-history collection \u2014 reading.bash_history /.zsh_history (or piping `history` / `fc -l` through the shell) \u2014 for off-host exfiltration. Shell history routinely contains credentials, tokens, connection strings, and hostnames, so harvesting it is credential theft regardless of any \u0027logging\u0027/\u0027backup\u0027 framing implied by the package name. The traced content also tripped the provider\u0027s malware-output safety filter, which corroborates that the code reads as operational credential-harvest logic rather than benign shell invocation.\n",
"id": "MAL-2026-6690",
"modified": "2026-07-01T22:04:52Z",
"published": "2026-06-30T00:00:00Z",
"references": [
{
"type": "REPORT",
"url": "https://safedep.io/defi-infostealer-fake-arbitrage-bot-npm/"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/log-taker1/v/0.1.0"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in log-taker1 (npm)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.