{"id":"MAL-2026-10023","summary":"Malicious code in @wagni_bot/bsc-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (68707229cc80d6db8fe3b087a40601cdbd8b23bcda9a3030ede4e0ac85fe0cf8)\n@wagni_bot/bsc-sdk@1.1.0 is a typosquat of BSC-SDK-family packages whose sole purpose is credential theft at install time. index.js exports an empty object; the package provides no advertised BNB Smart Chain functionality. The postinstall lifecycle script recursively scans the current working directory, the user's home directory, and ~/.ssh for files matching id_rsa, id_ed25519, *.pem, *.key, *.cred, and.env, and POSTs their contents to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. In parallel, it enumerates process.env for keys containing PRIVATE, SECRET, TOKEN, API_KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS and transmits the matching key=value pairs along with hostname, username, and cwd to the same endpoint. The destination is a plaintext HTTP bare IP on a non-standard port, consistent with throwaway stealer infrastructure. Every developer and CI runner that runs `npm install` on this package has their SSH private keys, PEM certificates, and credential-shaped environment variables shipped to the attacker.\n","modified":"2026-07-09T16:31:56.669187341Z","published":"2026-07-09T15:17:19Z","database_specific":{"malicious-packages-origins":[{"sha256":"01e01daf028cc2f0fcf1ea2b6bc4500a123febdb5656bfa1f80ce675e96d7798","id":"IN-MAL-2026-009042","source":"amazon-inspector","versions":["1.2.0"],"import_time":"2026-07-09T16:20:35.853833944Z","modified_time":"2026-07-09T15:19:07Z"},{"sha256":"315cebf0b6c9fed4a189fff2b0cd6c292e870150deeb5d6a43067972c43b54e6","id":"IN-MAL-2026-009058","source":"amazon-inspector","import_time":"2026-07-09T16:20:37.074404884Z","versions":["1.1.3"],"modified_time":"2026-07-09T15:21:39Z"},{"sha256":"4cead275a720b5cfe0cabc4cb264a1ca1840473e9368c5174e886bb7dbc5a939","id":"IN-MAL-2026-009062","source":"amazon-inspector","import_time":"2026-07-09T16:20:37.455187713Z","versions":["1.1.1"],"modified_time":"2026-07-09T15:22:13Z"},{"sha256":"584f507a0470ea912e3a84a54a7c2f86aab44e6717f6ea9736121d54f073891a","id":"IN-MAL-2026-009046","source":"amazon-inspector","import_time":"2026-07-09T16:20:36.221502742Z","versions":["1.1.4"],"modified_time":"2026-07-09T15:19:47Z"},{"sha256":"68707229cc80d6db8fe3b087a40601cdbd8b23bcda9a3030ede4e0ac85fe0cf8","id":"IN-MAL-2026-009070","source":"amazon-inspector","import_time":"2026-07-09T16:20:38.099144938Z","versions":["1.1.0"],"modified_time":"2026-07-09T15:23:34Z"},{"sha256":"6dd15e1f251a2897f0cb347c79e4443c00a9cefdce96275b91f379c4bd0ce93f","id":"IN-MAL-2026-009031","source":"amazon-inspector","import_time":"2026-07-09T16:20:33.917438787Z","versions":["1.1.5"],"modified_time":"2026-07-09T15:17:19Z"},{"sha256":"83881f27f5d074f0086d86e1215f8df95a1decf65057bf2b6a6db74b7aa7591f","id":"IN-MAL-2026-009041","source":"amazon-inspector","import_time":"2026-07-09T16:20:35.797613686Z","versions":["1.0.0"],"modified_time":"2026-07-09T15:18:59Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/bsc-sdk/v/1.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/bsc-sdk/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/bsc-sdk/v/1.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/bsc-sdk/v/1.1.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/bsc-sdk/v/1.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/bsc-sdk/v/1.1.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/bsc-sdk/v/1.0.0"}],"affected":[{"package":{"name":"@wagni_bot/bsc-sdk","ecosystem":"npm","purl":"pkg:npm/%40wagni_bot/bsc-sdk"},"versions":["1.2.0","1.1.3","1.1.1","1.1.4","1.1.0","1.1.5","1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/bsc-sdk/MAL-2026-10023.json","indicators":{"evidence_files":[{"sha256":"6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654","path":"postinstall.js","tlsh":"6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc"},{"sha256":"16456008841becc588786645c2134953259cd2849297553ac0d0f83660ddab9a","path":"package.json","tlsh":"b2d05e204e515b3378c81bec0827416aa9f3490b1018292857df2894430e2bb947b72f"}],"package_integrity":[{"hashes":{"sha1":"12effddffe3a375f1230cfe0a3453b7269347a12","sha512_sri":"sha512-dJCW0I5wnLRHfp8qOYxvZkq7kkJTJhoha0mxSpc1Asb/VY7hVXoL7ffrlBcLfpF3u1/W5hvGFdymsUwOCtlbCw=="},"filename":"bsc-sdk-1.2.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}