#018High2026-04-03

Trojanized basic-auth Clone with Crypto Phishing

simple-auth-basic@2.0.8

Veredito:MALICIOUS — Trojanized fork of legitimate package

Visão Geral

A malicious package published as simple-auth-basic@2.0.8, cloning the legitimate basic-auth npm package by Douglas Wilson. The trojanized version injects obfuscated URLs redirecting to coingecko-liard.vercel.app, a phishing domain impersonating CoinGecko. The package appears functionally identical to the original but contains hidden crypto phishing payloads that could redirect developers or their users to credential-harvesting sites.

basic-auth
Cloned Package
Vercel
Phishing Host
Crypto
Target Sector
Trojan
Attack Type

Fluxo do Ataque

Supply Chain Entry
Published as simple-auth-basic, a plausible alternative name to the legitimate basic-auth package. Developers searching for basic authentication may install this by mistake.
Code Injection
Injects obfuscated URLs into the package code, pointing to coingecko-liard.vercel.app, a phishing domain hosted on Vercel.
Credential Harvesting
The phishing domain impersonates CoinGecko, targeting crypto users with fake authentication flows to steal wallet credentials and API keys.

MITRE ATT&CK Mapeamento

T1195.002Supply Chain Compromise — trojanized npm package
T1036.005Masquerading — clone of legitimate basic-auth
T1566.002Phishing — crypto credential harvesting via fake CoinGecko

Tags

TrojanCryptoPhishingCoinGeckobasic-auth
Anterior
#017 Silent Postinstall Exfiltration in Crypto Wallet SDK
Próximo
#019 MCP Injection Campaign Targeting Claude Code and Cursor