`ts-einkle` + `ts-ankle` + `ts-einkle-slot` — crypto-wallet drainer / SSH backdoor / big.js typosquat cluster
Between 2026-06-26 and 2026-06-27 a single naming-cluster operator published three new malicious npm packages — ts-einkle (5 versions), ts-einkle-slot (5 versions), and ts-ankle (1 version). All three execute install-time payloads: ts-einkle is a full credential and crypto-wallet stealer exfiltrating to datasecure-service.vercel.app/api/v1; ts-ankle recursively walks the home directory for credential files and installs an SSH public key in ~/.ssh/authorized_keys; ts-einkle-slot typosquats big.js and shadow-loads node-slot on every require(). npm-support replaced all three with 0.0.1-security holders on 2026-06-29.
- Detected by
- Amazon Inspector · OpenSSF Package Analysis · GitHub Security Advisory
- Also known as
- ts-einkle / ts-ankle cluster
- Ecosystems
- npm
- Packages tracked
- 3
What happened
Between 2026-06-26 08:58 UTC and 2026-06-27 16:24 UTC, an operator published three closely-named npm packages — ts-einkle, ts-einkle-slot, and ts-ankle — that together implement three orthogonal supply-chain attack primitives. The shared ts-* naming convention and the 28-hour publish window strongly imply a single operator. Amazon Inspector flagged all three; npm-support seized the names and published 0.0.1-security holders early on 2026-06-29.
ts-einkle — credential and crypto-wallet stealer
ts-einkle was published across 1.0.9, 1.1.0, 1.1.2, and 1.1.3 between 2026-06-26 08:58 UTC and 2026-06-27 16:02 UTC. Its package.json declares "postinstall": "node test.js", triggering on every npm install. The shipped test.js is a multi-stage stealer covering: SSH key files under ~/.ssh/, AWS credentials and config (~/.aws/), GPG keyrings (~/.gnupg/), npm and PyPI auth files (~/.npmrc, ~/.pypirc), Docker settings, git credentials, and the GitHub CLI token via gh auth token. On Windows it pivots to PowerShell DPAPI to decrypt the Chromium passwords store and read the Firefox profile vault. Browser-extension wallet targeting covers MetaMask, Phantom, Solflare, OKX, Coinbase Wallet, TrustWallet, Backpack, and TronLink, plus a recursive seed-phrase scan over shell history, .env, and clipboard contents. Everything is POSTed to https://datasecure-service.vercel.app/api/v1. SHA-256 of the dropped index.js is published in the OSV record. CIRCL / vulnerability-lookup tracks the package under MAL-2026-6524; the corresponding GHSA is GHSA-mjcv-m7fg-mg8j.
ts-ankle — home-directory walker and SSH backdoor
ts-ankle@1.1.0 was published 2026-06-27 16:23 UTC. Its postinstall hook recursively walks the user's home directory on Unix systems and every mounted drive on Windows, collecting files that match credential patterns fetched dynamically from an attacker server (so the operator can re-target which files get stolen without republishing the package). The stolen file payload is exfiltrated. On Linux the hook additionally appends a fixed attacker SSH public key to ~/.ssh/authorized_keys and inserts a host-firewall rule to allow inbound SSH — turning every infected host into a persistent attacker-accessible foothold. SHA-256 28a7cbf43fc7ea473a83f25e5449d25806c1902bc8b90c085e21b7da6e064073 is the published IOC; CIRCL identifier MAL-2026-6548; GHSA GHSA-992p-988h-h55j.
ts-einkle-slot — big.js typosquat with shadow-loaded node-slot dependency
ts-einkle-slot was published across 0.0.8, 0.0.9, 0.1.0, 0.1.1, and 0.1.2 between 2026-06-26 09:00 UTC and 2026-06-27 16:24 UTC. The published metadata is copied verbatim from Michael Mclaughlin's legitimate big.js arbitrary-precision arithmetic library — same description, same keywords, same README, same author block — to defeat surface-level review by anyone who checks the package page before installing. The shipped code adds a hidden module-load block that requires an attacker-controlled package named node-slot whenever any consumer import-s or require-s ts-einkle-slot. The shadow-loaded node-slot is the code-execution primitive; the typosquatted big.js surface is the social-engineering vector. CIRCL identifier MAL-2026-6525; GHSA GHSA-8cxx-rp6g-mcr9.
Disclosure timeline
- 2026-06-26 08:58–09:00 UTC —
ts-einkle@1.0.9andts-einkle-slot@0.0.8published. - 2026-06-27 08:06–09:25 UTC —
ts-einkle@{1.1.0,1.1.2}andts-einkle-slot@{0.0.9,0.1.0}published. - 2026-06-27 16:02–16:24 UTC — final pre-takedown versions
ts-einkle@1.1.3,ts-einkle-slot@{0.1.1,0.1.2}, andts-ankle@1.1.0published. - 2026-06-29 03:17 UTC — npm-support replaces all three names with
0.0.1-securityholders; CIRCL / vulnerability-lookup publishesMAL-2026-6524,MAL-2026-6525, andMAL-2026-6548; GHSA mirrors them.
Affected packages (3)
- npm
ts-ankle1.1.0 - npm
ts-einkle1.0.91.1.01.1.21.1.3 - npm
ts-einkle-slot0.0.80.0.90.1.00.1.10.1.2
Impact
ts-einkle@{1.0.9,1.1.0,1.1.2,1.1.3}—postinstall: node test.jstriggers a multi-stage stealer that harvests SSH keys, AWS credentials, GPG keys, npm/PyPI configs, Docker settings, git credentials, and GitHub CLI tokens; on Windows uses PowerShell DPAPI to decrypt Chromium passwords and read Firefox vault data; targets MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, and TronLink browser-extension wallets; captures Telegram Desktop tdata, browser cookies, clipboard contents, shell history, and recursively scans for seed phrases; exfiltrates everything tohttps://datasecure-service.vercel.app/api/v1ts-ankle@1.1.0—postinstallhook recursively walks the user's home directory on Unix and every mounted drive on Windows, collects files matching dynamically-fetched credential patterns, exfiltrates them, AND on Linux appends an attacker SSH public key to~/.ssh/authorized_keysplus opens inbound SSH in the host firewall — persistent remote access on top of credential theftts-einkle-slot@{0.0.8,0.0.9,0.1.0,0.1.1,0.1.2}— copiesbig.jsmetadata verbatim to defeat surface-level review, then injects a hidden module-load block that imports the attacker-controllednode-slotshadow dependency whenever the package isimport-ed orrequire-d, executing it silently even if the host module-load throws- Crypto-wallet seed phrases and exchange API keys harvested from
ts-einkletypically convert to on-chain withdrawal attempts within minutes — anyone who rannpm installagainst a manifest referencing these names should treat connected wallets and exchange accounts as actively under attack
What to do
- 1Remove every reference to
ts-einkle,ts-einkle-slot, andts-anklefrompackage.json/ lockfiles / CI image layers — all three names now serve0.0.1-securityholders, so previously-pinned high versions no longer resolve and a freshnpm installwill fail loudly until you delete the line - 2Treat any host that ran
npm installagainst these names as fully compromised: rotate every secret reachable from that host from a separate clean device — npm tokens, GitHub tokens, AWS access keys, SSH private keys, GPG keys, cloud CLI tokens, Docker registry credentials, and any browser-stored or extension-stored crypto wallet seed phrase or exchange API key - 3For
ts-anklevictims specifically: inspect~/.ssh/authorized_keyson every Linux host that ran the install and remove any attacker-added key; review host firewall rules for unexpected inbound SSH allows added since 2026-06-26 - 4Block
datasecure-service.vercel.appat egress; hunt firewall and DNS logs for outbound HTTPS to that host since 2026-06-26 - 5For
ts-einkle-slotvictims: searchnode_modulesfor anynode-slotdirectory andpackage-lock.jsonfor anode-slotentry — the package was loaded as a shadow dependency at install time and should not have been requested directly - 6Scan internal Artifactory / Nexus / Verdaccio mirrors for cached tarballs of these names and purge them — the npm-support
0.0.1-securityreplacement does not flush private caches
References
- GitHubGHSA-mjcv-m7fg-mg8j — Malicious code in ts-einkle (npm)github.com
- GitHubGHSA-992p-988h-h55j — Malicious code in ts-ankle (npm)github.com
- GitHubGHSA-8cxx-rp6g-mcr9 — Malicious code in ts-einkle-slot (npm)github.com
- OpenSSF Malicious PackagesMAL-2026-6524 — ts-einkle credential/wallet stealergithub.com
- OpenSSF Malicious PackagesMAL-2026-6548 — ts-ankle home-dir walker and SSH backdoorgithub.com
- OpenSSF Malicious PackagesMAL-2026-6525 — ts-einkle-slot big.js typosquatgithub.com