{"id":"MAL-2026-10035","summary":"Malicious code in @wagni_bot/solana-sdk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e15edf4a83ab4894a29882072554e493c1673695d5e6aaa734672ba6da084112)\nPackage @wagni_bot/solana-sdk impersonates a legitimate Solana SDK but contains no SDK functionality — `main` points at postinstall.js, which is a credential-harvesting payload that runs automatically on `npm install` via preinstall/postinstall hooks. On execution the script recursively walks the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet and secret files (id.json, wallet.json, keypair.json, MetaMask/Phantom extension storage in Chrome/Brave/Edge profiles,.env, seed.txt, mnemonic.txt), and reads SSH private keys (~/.ssh/id_*), AWS credentials (~/.aws/credentials), git credentials,.npmrc,.netrc, and Solana/Ethereum keystores. Collected file contents (up to 10KB each) are bundled with os.hostname(), os.userInfo().username, and cwd, then POSTed in cleartext to http://107.161.90.180:7777. The package name typosquats the Solana SDK ecosystem to lure developers into installing the harvester.\n","modified":"2026-07-09T16:31:51.305081077Z","published":"2026-07-09T15:15:23Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-09T16:20:36.326758107Z","source":"amazon-inspector","versions":["1.0.0"],"sha256":"a2007f27f9956a58b77a5e6bc010944f866ea375a9e76ef8d080979721e51eba","modified_time":"2026-07-09T15:20:05Z","id":"IN-MAL-2026-009048"},{"modified_time":"2026-07-09T15:15:23Z","source":"amazon-inspector","versions":["1.2.0"],"sha256":"e15edf4a83ab4894a29882072554e493c1673695d5e6aaa734672ba6da084112","import_time":"2026-07-09T16:20:33.064753249Z","id":"IN-MAL-2026-009019"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/solana-sdk/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@wagni_bot/solana-sdk/v/1.2.0"}],"affected":[{"package":{"name":"@wagni_bot/solana-sdk","ecosystem":"npm","purl":"pkg:npm/%40wagni_bot/solana-sdk"},"versions":["1.0.0","1.2.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-IsekbLfEF9WDOmQii3NuSZDu8pne4VsOXWN1VKQsUc2Gy9Yif4MPjIVSoR6OD4a5s/Fi7ZXI9tw2CBSdopksjQ==","sha1":"a2da22179b6feee14f73568c3e9008f3ed94a853"},"filename":"solana-sdk-1.0.0.tgz"}],"evidence_files":[{"tlsh":"5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc","path":"postinstall.js","sha256":"3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f"},{"tlsh":"2ed05e204e505f33b8c81bed0937416aa9f3490b1118292c17df3894874e67b98bb72e","path":"package.json","sha256":"65b1b0321120ad8458ec9801342ac23930095173d05dac4b2f6498c3db374264"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/solana-sdk/MAL-2026-10035.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}