Skip to content
supplychainattack.orgSupply chain attack incident catalog
activecritical

Malware in eth_accounts

Malware was discovered in the eth_accounts npm package. Any computer with this package installed is considered fully compromised and all secrets and keys should be rotated immediately from a different machine.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Any system with eth_accounts installed; potential compromise of all secrets and keys on affected machines
Ecosystems
npm
Attack vectors
Compromised package
Affected entities
  • eth_accountsnpm package

The eth_accounts npm package was found to contain malware. According to the GitHub advisory (GHSA-72wp-5hhw-xhfc), any computer that has installed or run this package should be considered fully compromised.\n\nImmediate remediation requires rotating all secrets and keys stored on affected computers from a different, uncompromised machine. While the malicious package should be removed, there is no guarantee that removal will eliminate all malicious software that may have been installed as a result of the compromise, given that the attacker may have gained full control of the system.\n\nThe advisory was published on 2026-06-24 via GitHub's security advisory system.

Indicators of compromise

Packages
  • eth_accounts

Remediation

  • Immediately rotate all secrets, keys, and credentials stored on any computer that had eth_accounts installed, using a different uncompromised computer
  • Remove the eth_accounts package from all affected systems
  • Conduct a full security audit and malware scan of any system that had eth_accounts installed
  • Review access logs and monitor for unauthorized activity on systems that may have been compromised
  • Consider the affected system(s) as potentially fully compromised and plan for complete rebuild if critical systems are involved

Sources

  1. GitHub Advisory GHSA-72wp-5hhw-xhfc · GitHub Advisory Database

Cite this entry

"Malware in eth_accounts." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed June 24, 2026; last updated June 24, 2026. https://supplychainattack.org/incident/malware-in-eth-accounts-15dmc8

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

Related incidents

  1. activecritical

    Malware in multer-express

    Malware was discovered in the npm package multer-express. Systems with this package installed or running are considered fully compromised and require immediate remediation.

    npmCompromised package
  2. containedcritical

    Malware in opt-archetype-check

    Malware was discovered in the npm package opt-archetype-check, resulting in full system compromise for any computer with the package installed or running. All secrets and keys on affected systems should be rotated immediately from a different computer.

    npmCompromised package
  3. activecritical

    Malware in aes-decode-runner-pro

    Malware discovered in the npm package aes-decode-runner-pro. Systems with this package installed are considered fully compromised and may have given outside entities complete control.

    npmCompromised package
  4. containedcritical

    Malware in fetch-page-assets

    Malware was discovered in the npm package fetch-page-assets. Systems with this package installed or running should be considered fully compromised and require immediate remediation.

    npmCompromised package