#018High2026-04-03

Trojanized basic-auth Clone with Crypto Phishing

simple-auth-basic@2.0.8

Veredicto:MALICIOUS — Trojanized fork of legitimate package

▸Visión General

A malicious package published as simple-auth-basic@2.0.8, cloning the legitimate basic-auth npm package by Douglas Wilson. The trojanized version injects obfuscated URLs redirecting to coingecko-liard.vercel.app, a phishing domain impersonating CoinGecko. The package appears functionally identical to the original but contains hidden crypto phishing payloads that could redirect developers or their users to credential-harvesting sites.

basic-auth

Cloned Package

Vercel

Phishing Host

Crypto

Target Sector

Trojan

Attack Type

▸Flujo del Ataque

Supply Chain Entry

Published as simple-auth-basic, a plausible alternative name to the legitimate basic-auth package. Developers searching for basic authentication may install this by mistake.

Code Injection

Injects obfuscated URLs into the package code, pointing to coingecko-liard.vercel.app, a phishing domain hosted on Vercel.

Credential Harvesting

The phishing domain impersonates CoinGecko, targeting crypto users with fake authentication flows to steal wallet credentials and API keys.

▸MITRE ATT&CK Mapeo

T1195.002Supply Chain Compromise — trojanized npm package

T1036.005Masquerading — clone of legitimate basic-auth

T1566.002Phishing — crypto credential harvesting via fake CoinGecko

▸Tags

TrojanCryptoPhishingCoinGeckobasic-auth

← Anterior

#017 Silent Postinstall Exfiltration in Crypto Wallet SDK

#019 MCP Injection Campaign Targeting Claude Code and Cursor