{"id":"MAL-2026-10030","summary":"Malicious code in @wagni_bot/opensea-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (180731324517ae6b27ea40b119dba8f0ab1080a6662ea947f86e8c0de545b0cd)\nPackage impersonates the OpenSea SDK namespace (name @wagni_bot/opensea-sdk, description \"Unofficial opensea-sdk SDK\") but ships no SDK functionality — its purpose is the postinstall.js dropper that runs automatically on npm install. postinstall.js walks the installer's home directory and crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching wallet/keystore/seed/mnemonic/private/pem/id_rsa patterns; greps file contents for Ethereum/Bitcoin private-key and BIP39 seed-phrase shapes; reads every file under ~/.ssh (excluding known_hosts and *.pub); and filters process.env for names containing PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS. Each hit is POSTed together with os.hostname(), os.userInfo().username, and process.cwd() (plus up to 10KB of matched file content) via plain HTTP to the hardcoded bare-IP endpoint http://107.161.90.180:7777. Installing this package on a developer machine hands over SSH private keys, crypto wallet keystores/seed phrases, and secret environment variables to the operator of that endpoint.\n","modified":"2026-07-09T16:31:51.285116650Z","published":"2026-07-09T15:16:48Z","database_specific":{"malicious-packages-origins":[{"sha256":"180731324517ae6b27ea40b119dba8f0ab1080a6662ea947f86e8c0de545b0cd","source":"amazon-inspector","import_time":"2026-07-09T16:20:37.001985806Z","versions":["1.1.3"],"id":"IN-MAL-2026-009057","modified_time":"2026-07-09T15:21:29Z"},{"sha256":"d56bf145287b480a0577ea59eeb574bb06e0d02b9b0edff8455e1ff80da1832f","source":"amazon-inspector","import_time":"2026-07-09T16:20:39.008968199Z","versions":["1.1.5"],"id":"IN-MAL-2026-009080","modified_time":"2026-07-09T15:25:14Z"},{"import_time":"2026-07-09T16:20:37.892230148Z","source":"amazon-inspector","sha256":"fdf4e3b5fbb9ee046aa4d5448d1e218334d9ac301520bb1a476b66da5ab5ffea","versions":["1.1.0"],"id":"IN-MAL-2026-009067","modified_time":"2026-07-09T15:23:07Z"},{"sha256":"2b7cba911e938df1773eac5fb6c8d1ddd516b240d3fd15bb76669be864f3c11f","source":"amazon-inspector","import_time":"2026-07-09T16:20:37.238236156Z","versions":["1.1.1"],"id":"IN-MAL-2026-009060","modified_time":"2026-07-09T15:21:55Z"},{"sha256":"2bb17ee14bcebc28314402ab5abb1f23fd63161c49ad9f5240ac6b12885adff7","source":"amazon-inspector","import_time":"2026-07-09T16:20:36.766361147Z","versions":["1.1.4"],"id":"IN-MAL-2026-009054","modified_time":"2026-07-09T15:21:02Z"},{"sha256":"33f13d814ee8aed088dc7fef1737db9d9946d49b043aa95e9ed1f9bd3a10ddaa","source":"amazon-inspector","import_time":"2026-07-09T16:20:33.713134211Z","versions":["1.2.0"],"id":"IN-MAL-2026-009028","modified_time":"2026-07-09T15:16:48Z"},{"sha256":"4567a95fc8efe5311a2394bcc04b64aba72ca8ce846790fc5d37b56f39847162","source":"amazon-inspector","import_time":"2026-07-09T16:20:38.317505614Z","versions":["1.0.0"],"id":"IN-MAL-2026-009073","modified_time":"2026-07-09T15:24:06Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/opensea-sdk/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/opensea-sdk/v/1.1.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/opensea-sdk/v/1.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/opensea-sdk/v/1.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/opensea-sdk/v/1.1.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/opensea-sdk/v/1.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/opensea-sdk/v/1.0.0"}],"affected":[{"package":{"name":"@wagni_bot/opensea-sdk","ecosystem":"npm","purl":"pkg:npm/%40wagni_bot/opensea-sdk"},"versions":["1.1.3","1.1.5","1.1.0","1.1.1","1.1.4","1.2.0","1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/opensea-sdk/MAL-2026-10030.json","indicators":{"evidence_files":[{"tlsh":"2a7194f4b0a9115853e3b7f2671b3d12a56f85563b82d4f13bec9e002f699c4ca23439","sha256":"ef1ab14e4f432b72160bae8ac60ef8558bc3f05c0e5a0f21516dbcd8f9bac202","path":"postinstall.js"},{"tlsh":"69c08c000b05af322aa00be52d63cc6c84e102680008d50c0fc709ba8a527ea902e113","sha256":"e7f4416be9edacf94b0d9b9a5a3022128e47de67c5a8530590f112e6da7c68fc","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"e9b584473c6a106d47f0ab7018be2f9ea2fe1bbd","sha512_sri":"sha512-XpDF5DeY2sSWSkush0ODVFUittcj9Ys4pcvFWdL9fGnZsqZDT2bXB05dgGRolVSQ2RuZ+3Uy8oWrjLrHlySKSg=="},"filename":"opensea-sdk-1.1.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}