Feed
HighPublished 27 Jun 20262 packages · 9 versions

`crossmint-wallets-sdk` + `@epsteinlovekids483/crossmint-wallets-sdk-pentest` — install-time wallet/credential exfil via Crossmint SDK impersonators

Summary

Between 2026-06-26 13:44 UTC and 2026-06-27 03:09 UTC the npm account epsteinlovekids483 published two impersonators of the legitimate @crossmint/wallets-sdk: a scoped @epsteinlovekids483/crossmint-wallets-sdk-pentest (8 rapid versions) that on require() exfiltrates AWS keys, SSH keys, npm tokens, gh auth token, and Solana keypairs to a 127.0.0.1:8052/exfil loopback C2; and the unscoped crossmint-wallets-sdk@1.0.0 that fires preinstall and install lifecycle scripts to capture host identifiers and POST them to an attacker-controlled endpoint. Both are flagged by CIRCL as MAL-2026-6522 and MAL-2026-6545.

typosquatcredential-theftcrypto-wallet-draininfostealerobfuscation
Detected by
CIRCL / Vulnerability-Lookup
Also known as
Crossmint SDK impersonator pair · epsteinlovekids483 campaign
Ecosystems
npm
Packages tracked
2

What happened

On 2026-06-26 at 13:44 UTC the npm account epsteinlovekids483 (hugeneshking@gmail.com) published the first of eight versions of @epsteinlovekids483/crossmint-wallets-sdk-pentest, iterating from 1.0.0-pentest through 1.0.11-pentest over the following 96 minutes and culminating in an unscoped 1.0.11 release at 16:00 UTC. The package declares the legitimate https://github.com/Crossmint/crossmint-sdk repository, names "Paella Labs Inc" (Crossmint's legal entity) as the author, and ships a copied @crossmint/wallets-sdk README — all of which would lead a developer doing surface-level due diligence to mistake it for the genuine SDK.

Internal source comments in the shipped JavaScript explicitly state the payload is "Injected into @crossmint/wallets-sdk". On require(), the package harvests filtered process.env keys matching a 16-token regex covering tokens, secrets, passwords, mnemonics, wallets, private keys, and major cloud / SaaS provider environment names. It then runs gh auth token via child_process.execSync to capture the GitHub CLI token, reads ~/.npmrc (npm publish tokens), ~/.aws/credentials (AWS access keys), every file under ~/.ssh/ (private keys), and ~/.config/solana/id.json (Solana keypair). The collected payload is JSON-stringified, base64-encoded, and POSTed via HTTPS with TLS validation disabled (and HTTP fallback) to a hardcoded 127.0.0.1:8052/exfil endpoint that internal comments label as "C2". CIRCL / vulnerability-lookup flags this as MAL-2026-6522.

The loopback destination is unusual and limits the immediate exfiltration reach on a vanilla installer — anyone who pipes the package through a fresh npm install does not actually leak data unless they happen to be running a listener on 127.0.0.1:8052. The pattern is consistent with either a red-team / pentest exercise staged by the operator, or a staging build that ships before the operator swaps the loopback for a remote endpoint in a republish.

The unscoped follow-up

Less than 12 hours later, at 2026-06-27 03:09:48 UTC, the same epsteinlovekids483 account published crossmint-wallets-sdk@1.0.0 — the same name as the legitimate package family but in the unscoped npm namespace (the legitimate package is @crossmint/wallets-sdk under the @crossmint scope). This release ships a much smaller surface: just three files (preinstall.js, install.js, package.json, ~2.6KB unpacked) with preinstall and install lifecycle hooks. Both preinstall.js and index.js import child_process, capture os.hostname(), and POST the collected host identifier via https.request to a hardcoded external endpoint — install-time reconnaissance against any developer or build system that runs npm install with autocomplete-suggested crossmint-wallets-sdk (instead of the correct @crossmint/wallets-sdk). CIRCL flags this as MAL-2026-6545.

The two-package staging pattern — a scoped "pentest"-named variant with the heavy credential harvester, then an unscoped lookalike with lifecycle-script reconnaissance — fits an operator profile of staging the heavy payload behind a maintainer scope (which Crossmint developers searching npm would never accidentally install) while ranging the lighter install-time recon under the typosquat lookalike most likely to catch a fat-fingered or autocomplete-blind dependency add.

Disclosure timeline

  • 2026-06-26 13:44 – 15:20 UTC@epsteinlovekids483/crossmint-wallets-sdk-pentest published in 7 *-pentest prereleases (1.0.0-pentest1.0.11-pentest).
  • 2026-06-26 16:00:03 UTC@epsteinlovekids483/crossmint-wallets-sdk-pentest@1.0.11 published as the public release (drops the -pentest suffix).
  • 2026-06-27 03:09:48 UTCcrossmint-wallets-sdk@1.0.0 (unscoped) published by the same maintainer.
  • 2026-06-27 — CIRCL / vulnerability-lookup publishes MAL-2026-6522 (scoped pentest variant) and MAL-2026-6545 (unscoped variant), flagging both as malicious code with active-attack credential/reconnaissance exfiltration fingerprints.
  • As of 2026-06-28 — both packages remain live on npm; the legitimate @crossmint/wallets-sdk under the @crossmint scope is unaffected.

Affected packages (2)

  • npm@epsteinlovekids483/crossmint-wallets-sdk-pentest
    1.0.0-pentest1.0.1-pentest1.0.2-pentest1.0.5-pentest1.0.7-pentest1.0.9-pentest1.0.11-pentest1.0.11
  • npmcrossmint-wallets-sdk
    1.0.0

Impact

  • @epsteinlovekids483/crossmint-wallets-sdk-pentest — on require(), harvests filtered process.env keys matching TOKEN|KEY|SECRET|PASS|SEED|MNEMONIC|WALLET|PRIVATE|CREDENTIAL|AWS|AZURE|GCP|STRIPE|SLACK|TWILIO|NPM|GITHUB, plus gh auth token (via child_process.execSync), ~/.npmrc, ~/.aws/credentials, every file under ~/.ssh/, and ~/.config/solana/id.json; payload JSON-stringified, base64-encoded, and POSTed with TLS validation disabled to a hardcoded 127.0.0.1:8052/exfil C2
  • crossmint-wallets-sdk@1.0.0preinstall.js and install.js both run at npm install time (before any user code), import child_process, capture os.hostname(), and POST via https.request to a hardcoded attacker endpoint — install-time reconnaissance against developer and build-system installers
  • Both packages typosquat the legitimate @crossmint/wallets-sdk (the Crossmint stablecoin / wallet infrastructure SDK for EVM, Solana, and Stellar chains); the impersonators ship a copied Crossmint README and claim "Paella Labs Inc" authorship to defeat surface-level review
  • Loopback C2 in the published scoped build limits immediate reach on a vanilla installer, but the harvest + encode + POST primitives execute on every require() and the destination is a one-line change for any future republish under the same maintainer

What to do

  1. 1Remove every reference to crossmint-wallets-sdk (unscoped) and @epsteinlovekids483/crossmint-wallets-sdk-pentest from package.json / lockfiles / CI image layers; both packages remain live on npm at the time of this advisory
  2. 2Use the legitimate @crossmint/wallets-sdk (note the @crossmint/ scope and the singular wallets-sdk slug); verify the maintainer is the crossmint npm org, not epsteinlovekids483
  3. 3Treat any host that installed either package as fully compromised — for the scoped pentest variant, every credential the harvest list touches must be rotated from a separate clean device: AWS access keys, SSH private keys (~/.ssh/), npm auth tokens (~/.npmrc), GitHub CLI tokens (gh auth logout && gh auth login), Solana keypairs (~/.config/solana/id.json), and any wallet seed phrases or mnemonics that lived in shell history or .env
  4. 4Hunt for outbound HTTPS to 127.0.0.1:8052/exfil in developer-machine and CI-runner logs since 2026-06-26 — a non-loopback re-target by the same operator would surface the same URI path
  5. 5Audit recent npm installs on developer endpoints and CI runners for crossmint-wallets-sdk (any version) and any package under the @epsteinlovekids483 scope; revoke the npm publish tokens of any maintainer whose account ran the install

References

npm-2026-06-27-crossmint-wallets-sdk-impersonator