`crossmint-wallets-sdk` + `@epsteinlovekids483/crossmint-wallets-sdk-pentest` — install-time wallet/credential exfil via Crossmint SDK impersonators
Between 2026-06-26 13:44 UTC and 2026-06-27 03:09 UTC the npm account epsteinlovekids483 published two impersonators of the legitimate @crossmint/wallets-sdk: a scoped @epsteinlovekids483/crossmint-wallets-sdk-pentest (8 rapid versions) that on require() exfiltrates AWS keys, SSH keys, npm tokens, gh auth token, and Solana keypairs to a 127.0.0.1:8052/exfil loopback C2; and the unscoped crossmint-wallets-sdk@1.0.0 that fires preinstall and install lifecycle scripts to capture host identifiers and POST them to an attacker-controlled endpoint. Both are flagged by CIRCL as MAL-2026-6522 and MAL-2026-6545.
- Detected by
- CIRCL / Vulnerability-Lookup
- Also known as
- Crossmint SDK impersonator pair · epsteinlovekids483 campaign
- Ecosystems
- npm
- Packages tracked
- 2
What happened
On 2026-06-26 at 13:44 UTC the npm account epsteinlovekids483 (hugeneshking@gmail.com) published the first of eight versions of @epsteinlovekids483/crossmint-wallets-sdk-pentest, iterating from 1.0.0-pentest through 1.0.11-pentest over the following 96 minutes and culminating in an unscoped 1.0.11 release at 16:00 UTC. The package declares the legitimate https://github.com/Crossmint/crossmint-sdk repository, names "Paella Labs Inc" (Crossmint's legal entity) as the author, and ships a copied @crossmint/wallets-sdk README — all of which would lead a developer doing surface-level due diligence to mistake it for the genuine SDK.
Internal source comments in the shipped JavaScript explicitly state the payload is "Injected into @crossmint/wallets-sdk". On require(), the package harvests filtered process.env keys matching a 16-token regex covering tokens, secrets, passwords, mnemonics, wallets, private keys, and major cloud / SaaS provider environment names. It then runs gh auth token via child_process.execSync to capture the GitHub CLI token, reads ~/.npmrc (npm publish tokens), ~/.aws/credentials (AWS access keys), every file under ~/.ssh/ (private keys), and ~/.config/solana/id.json (Solana keypair). The collected payload is JSON-stringified, base64-encoded, and POSTed via HTTPS with TLS validation disabled (and HTTP fallback) to a hardcoded 127.0.0.1:8052/exfil endpoint that internal comments label as "C2". CIRCL / vulnerability-lookup flags this as MAL-2026-6522.
The loopback destination is unusual and limits the immediate exfiltration reach on a vanilla installer — anyone who pipes the package through a fresh npm install does not actually leak data unless they happen to be running a listener on 127.0.0.1:8052. The pattern is consistent with either a red-team / pentest exercise staged by the operator, or a staging build that ships before the operator swaps the loopback for a remote endpoint in a republish.
The unscoped follow-up
Less than 12 hours later, at 2026-06-27 03:09:48 UTC, the same epsteinlovekids483 account published crossmint-wallets-sdk@1.0.0 — the same name as the legitimate package family but in the unscoped npm namespace (the legitimate package is @crossmint/wallets-sdk under the @crossmint scope). This release ships a much smaller surface: just three files (preinstall.js, install.js, package.json, ~2.6KB unpacked) with preinstall and install lifecycle hooks. Both preinstall.js and index.js import child_process, capture os.hostname(), and POST the collected host identifier via https.request to a hardcoded external endpoint — install-time reconnaissance against any developer or build system that runs npm install with autocomplete-suggested crossmint-wallets-sdk (instead of the correct @crossmint/wallets-sdk). CIRCL flags this as MAL-2026-6545.
The two-package staging pattern — a scoped "pentest"-named variant with the heavy credential harvester, then an unscoped lookalike with lifecycle-script reconnaissance — fits an operator profile of staging the heavy payload behind a maintainer scope (which Crossmint developers searching npm would never accidentally install) while ranging the lighter install-time recon under the typosquat lookalike most likely to catch a fat-fingered or autocomplete-blind dependency add.
Disclosure timeline
- 2026-06-26 13:44 – 15:20 UTC —
@epsteinlovekids483/crossmint-wallets-sdk-pentestpublished in 7*-pentestprereleases (1.0.0-pentest→1.0.11-pentest). - 2026-06-26 16:00:03 UTC —
@epsteinlovekids483/crossmint-wallets-sdk-pentest@1.0.11published as the public release (drops the-pentestsuffix). - 2026-06-27 03:09:48 UTC —
crossmint-wallets-sdk@1.0.0(unscoped) published by the same maintainer. - 2026-06-27 — CIRCL / vulnerability-lookup publishes
MAL-2026-6522(scoped pentest variant) andMAL-2026-6545(unscoped variant), flagging both as malicious code with active-attack credential/reconnaissance exfiltration fingerprints. - As of 2026-06-28 — both packages remain live on npm; the legitimate
@crossmint/wallets-sdkunder the@crossmintscope is unaffected.
Affected packages (2)
- npm
@epsteinlovekids483/crossmint-wallets-sdk-pentest1.0.0-pentest1.0.1-pentest1.0.2-pentest1.0.5-pentest1.0.7-pentest1.0.9-pentest1.0.11-pentest1.0.11 - npm
crossmint-wallets-sdk1.0.0
Impact
@epsteinlovekids483/crossmint-wallets-sdk-pentest— onrequire(), harvests filteredprocess.envkeys matchingTOKEN|KEY|SECRET|PASS|SEED|MNEMONIC|WALLET|PRIVATE|CREDENTIAL|AWS|AZURE|GCP|STRIPE|SLACK|TWILIO|NPM|GITHUB, plusgh auth token(viachild_process.execSync),~/.npmrc,~/.aws/credentials, every file under~/.ssh/, and~/.config/solana/id.json; payload JSON-stringified, base64-encoded, and POSTed with TLS validation disabled to a hardcoded127.0.0.1:8052/exfilC2crossmint-wallets-sdk@1.0.0—preinstall.jsandinstall.jsboth run atnpm installtime (before any user code), importchild_process, captureos.hostname(), and POST viahttps.requestto a hardcoded attacker endpoint — install-time reconnaissance against developer and build-system installers- Both packages typosquat the legitimate
@crossmint/wallets-sdk(the Crossmint stablecoin / wallet infrastructure SDK for EVM, Solana, and Stellar chains); the impersonators ship a copied Crossmint README and claim "Paella Labs Inc" authorship to defeat surface-level review - Loopback C2 in the published scoped build limits immediate reach on a vanilla installer, but the harvest + encode + POST primitives execute on every
require()and the destination is a one-line change for any future republish under the same maintainer
What to do
- 1Remove every reference to
crossmint-wallets-sdk(unscoped) and@epsteinlovekids483/crossmint-wallets-sdk-pentestfrompackage.json/ lockfiles / CI image layers; both packages remain live on npm at the time of this advisory - 2Use the legitimate
@crossmint/wallets-sdk(note the@crossmint/scope and the singularwallets-sdkslug); verify the maintainer is thecrossmintnpm org, notepsteinlovekids483 - 3Treat any host that installed either package as fully compromised — for the scoped pentest variant, every credential the harvest list touches must be rotated from a separate clean device: AWS access keys, SSH private keys (
~/.ssh/), npm auth tokens (~/.npmrc), GitHub CLI tokens (gh auth logout && gh auth login), Solana keypairs (~/.config/solana/id.json), and any wallet seed phrases or mnemonics that lived in shell history or.env - 4Hunt for outbound HTTPS to
127.0.0.1:8052/exfilin developer-machine and CI-runner logs since 2026-06-26 — a non-loopback re-target by the same operator would surface the same URI path - 5Audit recent npm installs on developer endpoints and CI runners for
crossmint-wallets-sdk(any version) and any package under the@epsteinlovekids483scope; revoke the npm publish tokens of any maintainer whose account ran the install
References
- CIRCL / Vulnerability-LookupMAL-2026-6545 — Malicious code in crossmint-wallets-sdk (npm)vulnerability.circl.lu
- CIRCL / Vulnerability-LookupMAL-2026-6522 — Malicious code in @epsteinlovekids483/crossmint-wallets-sdk-pentest (npm)vulnerability.circl.lu
- npmcrossmint-wallets-sdk on npm (unscoped typosquat)npmjs.com
- npm@epsteinlovekids483/crossmint-wallets-sdk-pentest on npmnpmjs.com
- npm@crossmint/wallets-sdk — the LEGITIMATE Crossmint Wallets SDKnpmjs.com