{"id":"MAL-2026-10031","summary":"Malicious code in @wagni_bot/orca-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6fcc40768d3a7cdf73ca8664e00519e42639493a81144d6310af862b91816273)\n@wagni_bot/orca-sdk@1.0.0 ships a single file, postinstall.js, which is registered as the package main and as both the preinstall and postinstall lifecycle scripts. On `npm install`, this script executes automatically and (1) collects host identity (os.hostname(), os.userInfo(), process.cwd()) and beacons a 'postinstall_executed' heartbeat, (2) reads installer-owned secrets from well-known paths — ~/.ssh keys, ~/.aws/credentials, ~/.git-credentials, and the npm authToken from ~/.npmrc — and (3) recursively walks the user's home directory (up to 3 levels, skipping node_modules/Library/AppData/snap/cache) looking for crypto-wallet artifacts (id.json, wallet.json, keystore.json, mnemonic.txt, seed/recovery files, MetaMask/Phantom JSON, wallet.dat, etc.) and any.env /.env.local /.env.production file. All collected content is POSTed over plain HTTP to the hardcoded bare-IP endpoint http://107.161.90.180:7777. The package name imitates the widely used Orca (Solana DEX) SDK, and the wallet target list is oriented at Solana developers whose ~/.config/solana/id.json is directly harvested. No legitimate SDK functionality is present; the package's sole purpose is credential and wallet theft at install time.\n","modified":"2026-07-09T16:31:50.723225985Z","published":"2026-07-09T15:18:06Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-07-09T15:20:13Z","sha256":"6fcc40768d3a7cdf73ca8664e00519e42639493a81144d6310af862b91816273","import_time":"2026-07-09T16:20:36.403424202Z","id":"IN-MAL-2026-009049","versions":["1.0.0"]},{"import_time":"2026-07-09T16:20:34.805294968Z","modified_time":"2026-07-09T15:18:06Z","sha256":"ad9c40e5686bf1f20afccb03e6faf4d8125fbab7c1e41215826c6f09ac369ed2","source":"amazon-inspector","id":"IN-MAL-2026-009036","versions":["1.2.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/orca-sdk/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/orca-sdk/v/1.2.0"}],"affected":[{"package":{"name":"@wagni_bot/orca-sdk","ecosystem":"npm","purl":"pkg:npm/%40wagni_bot/orca-sdk"},"versions":["1.0.0","1.2.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-t6OZSRQmdtABAdvnOeORKB0e2urS3GgUvJfnsgdnoUj7UVkk67lipRJ+JEjjGt4YPJ2b+trTgCdEtUfk2hKAEw==","sha1":"c1bfc56a3d705bba64ac06016999c60c4aa900d1"},"filename":"orca-sdk-1.0.0.tgz"}],"evidence_files":[{"tlsh":"5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc","sha256":"3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f","path":"postinstall.js"},{"path":"package.json","tlsh":"d2d05e204e505b7379c81bec0837816baaf3490b1018292817db2894834e27b947b62e","sha256":"db6f58546232e4b05d019c2304e9963fcb221735917b76c929a17039e5fc5605"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/orca-sdk/MAL-2026-10031.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}