Which versions of exodus-wallet-core are malicious?

The following npm versions of exodus-wallet-core are flagged malicious: 99.0.0-canary.1. Treat any of these as compromised.

How do I remediate exodus-wallet-core if I installed it?

Remove exodus-wallet-core from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is exodus-wallet-core part of a known attack campaign?

Yes — exodus-wallet-core is associated with the IN-MAL-2026-005114, IN-MAL-2026-005113 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect exodus-wallet-core in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking exodus-wallet-core and packages like it before any post-install script runs.

Malicious package

exodus-wallet-corenpm

Malicious code in exodus-wallet-core (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5443

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall exodus-wallet-core

What this malware does

Package name impersonates the Exodus cryptocurrency wallet brand. package.json declares "postinstall": "node src/canary.js", and src/canary.js performs a DNS lookup and HTTPS GET to a hardcoded Serveo reverse-tunnel host (96e03fa6c292469a-172-245-86-254.serveousercontent.com/c) on every npm install. Serveo (serveousercontent.com) is a reverse-SSH tunneling service frequently used to expose non-publisher hosts; this is not Exodus infrastructure. The callout leaks the installer's IP address and timing to the tunnel operator and demonstrates arbitrary install-time code execution on the installer's machine. Although the package self-describes as a HackerOne PoC canary, the technique is a live supply-chain attack pattern operating against any machine that installs it.

Malicious versions

1 flagged

99.0.0-canary.1

Indicators of compromise (SHA-256)

1ba93766fbae4c48460e40e317bf64f68251047d20cf43e4583db8d6be616bc8

53bf93b626689e980ef2e9c4ba33fd95e81d6a04c665f85908c8cf07b8b36e14

Frequently asked questions

No. exodus-wallet-core on npm has been identified as a malicious package (version 99.0.0-canary.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005114IN-MAL-2026-005113

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection