{"id":"MAL-2026-10033","summary":"Malicious code in @wagni_bot/polymarket-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c939d03cb15cd37cd1e4f87e913daefd7407245c771ed23bf12a712cad2c5495)\n@wagni_bot/polymarket-sdk@1.1.3 is a credential-stealing package disguised as a Polymarket SDK. index.js exports an empty object; the package ships no advertised functionality. On `npm install`, scripts.postinstall triggers postinstall.js, which: (1) walks the current working directory, the user's home directory, and common crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching keystore/wallet/seed/mnemonic/private/.pem/.key patterns, regex-matches Ethereum private keys, BTC WIF keys, and BIP39 mnemonics, and POSTs matches to a hardcoded bare-IP endpoint; (2) reads every file in ~/.ssh (excluding known_hosts, authorized_keys, and.pub files), harvesting id_rsa/id_ed25519 private keys, and POSTs each to the same endpoint; (3) enumerates process.env, filters for keys containing PRIVATE/SECRET/TOKEN/KEY/PASSWORD/MNEMONIC/SEED/WALLET/AWS, and exfiltrates name=value pairs together with hostname, username, and cwd. All traffic is sent over plain HTTP to http://107.161.90.180:7777. The package name impersonates a legitimate Polymarket SDK to attract developers likely to have crypto keys on disk.\n","modified":"2026-07-09T16:31:51.045074443Z","published":"2026-07-09T15:17:11Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-09T16:20:39.108031402Z","id":"IN-MAL-2026-009082","modified_time":"2026-07-09T15:25:30Z","versions":["1.1.5"],"sha256":"00ff40156e9b9ed5217299ae05d692fef75a24e5a2870b9e165166754c7df3bf","source":"amazon-inspector"},{"import_time":"2026-07-09T16:20:37.602587472Z","id":"IN-MAL-2026-009064","sha256":"88763b94ea857523036af8f3f4bbc7861378dc6ca961f3738435e77ee80576c0","versions":["1.1.1"],"modified_time":"2026-07-09T15:22:33Z","source":"amazon-inspector"},{"import_time":"2026-07-09T16:20:34.629095579Z","id":"IN-MAL-2026-009035","sha256":"c939d03cb15cd37cd1e4f87e913daefd7407245c771ed23bf12a712cad2c5495","versions":["1.1.3"],"modified_time":"2026-07-09T15:17:59Z","source":"amazon-inspector"},{"import_time":"2026-07-09T16:20:38.622439325Z","id":"IN-MAL-2026-009075","sha256":"e23d97deed586e49260f3bc22da6bbe767b9e9fa31baa6d7bef52c889762f309","versions":["1.0.0"],"modified_time":"2026-07-09T15:24:25Z","source":"amazon-inspector"},{"import_time":"2026-07-09T16:20:34.990822311Z","id":"IN-MAL-2026-009037","sha256":"1635405e118e677f9fb564c9dc43a0bc66da70dd81752bb059e90414506e3ac7","versions":["1.1.4"],"modified_time":"2026-07-09T15:18:16Z","source":"amazon-inspector"},{"import_time":"2026-07-09T16:20:38.151858142Z","id":"IN-MAL-2026-009071","sha256":"17116c251543c98ca4c496dc6f9022df020c590561f9dd7c221b965ea90bb946","versions":["1.1.0"],"modified_time":"2026-07-09T15:23:45Z","source":"amazon-inspector"},{"import_time":"2026-07-09T16:20:33.856785927Z","id":"IN-MAL-2026-009030","modified_time":"2026-07-09T15:17:11Z","versions":["1.2.0"],"sha256":"236c5163ce694ba99be29c7e4b17f70ce4488e437c08115ff66d7477527ec00f","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/polymarket-sdk/v/1.1.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/polymarket-sdk/v/1.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/polymarket-sdk/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/polymarket-sdk/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/polymarket-sdk/v/1.1.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/polymarket-sdk/v/1.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/polymarket-sdk/v/1.2.0"}],"affected":[{"package":{"name":"@wagni_bot/polymarket-sdk","ecosystem":"npm","purl":"pkg:npm/%40wagni_bot/polymarket-sdk"},"versions":["1.1.5","1.1.1","1.1.3","1.0.0","1.1.4","1.1.0","1.2.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/polymarket-sdk/MAL-2026-10033.json","indicators":{"evidence_files":[{"tlsh":"5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc","path":"postinstall.js","sha256":"3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f"}],"package_integrity":[{"filename":"polymarket-sdk-1.1.5.tgz","hashes":{"sha1":"7e7293d4d61a85aeca67f6f232afa43ea268446a","sha512_sri":"sha512-eWdNDOj7rQjIsSgXAR1nlP2VtXoP/0kG160PMWkaP0DlfS2dA7McIR/I4ZJ4yhToWWp71KSs2XRZu5fdN2yWHw=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}