{"id":"MAL-2026-5360","summary":"Malicious code in wallet-sdk-9 (npm)","details":"Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+). postinstall auto-execs, src/index.js harvests ~/.ssh/id_rsa+id_ed25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels \"CRYPTO STEALER\", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated). Campaign now uses inflated version (3.7.73) not 1.0.0.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (dd38e082e2657a6a3f8ffbab9bbad8dc1e1f2c460bb65546640f818d3077dad6)\nOn install (postinstall lifecycle hook) and on require of the main module, src/index.js scans the installer's home directory and current working directory for crypto wallet material (Solana id.json, Ethereum keystore, Bitcoin wallet.dat, Tron/Sui/Aptos wallets), SSH private keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519), and project secrets (.env, mnemonic.txt, seed.txt, private.key). Discovered files are uploaded to api.telegram.org using a hardcoded bot token and chat_id (bot 8227918239, chat 6433587894) via sendDocument. An isTestEnvironment() guard at src/index.js:10-26 suppresses execution in CI and sandboxed environments by checking CI/GITHUB_ACTIONS/JENKINS_HOME/NODE_ENV markers, Docker-style 12-hex hostnames, and runner/sandbox/docker usernames, ensuring the payload only fires on real developer machines. The package self-labels its exfiltration message as a 'CRYPTO STEALER' and ships no legitimate wallet SDK functionality despite its name; metadata is placeholder ('Utility library', empty README, generic author) consistent with a lure targeting developers searching for wallet SDKs.\n","modified":"2026-06-11T02:31:31.918154383Z","published":"2026-06-09T07:55:37Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005350","sha256":"dd38e082e2657a6a3f8ffbab9bbad8dc1e1f2c460bb65546640f818d3077dad6","modified_time":"2026-06-11T01:39:26Z","versions":["3.7.73"],"source":"amazon-inspector","import_time":"2026-06-11T02:24:27.036385046Z"}]},"references":[{"type":"REPORT","url":"https://app.safedep.io/community/malysis/01KTN73YY0MTFGD8C4TSDAPEMX"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/wallet-sdk-9/v/3.7.73"}],"affected":[{"package":{"name":"wallet-sdk-9","ecosystem":"npm","purl":"pkg:npm/wallet-sdk-9"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["3.7.73"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wallet-sdk-9/MAL-2026-5360.json","indicators":{"package_integrity":[{"hashes":{"sha1":"1d3d22b8c4f5d212c6a214a90713a079abe538ab","sha512_sri":"sha512-HP7AP26QIeWqXeHQy4yZRe6Av+QkqNJjqOskFU+g9SJAoRiAbCmbU76aU6g7Kntgu99IPGrIWhaR3u3BLKH8Jw=="},"filename":"wallet-sdk-9-3.7.73.tgz"}],"evidence_files":[{"sha256":"ef4459281c64f1fe8923d703d416f04080ff1a2b7b385366f46d7cdb25731502","tlsh":"30b121f41ef677148193e3a9624f60015436e1473c06ed65769c87c8af88a6ca6f2efc","path":"src/index.js"},{"sha256":"d115c5a849563cd963caffa5369a752ec5f8b2a0c23adde567fd921aea498e21","tlsh":"21d0a7204f20973374c4475b0826914a69b20d1a0044bc1817e31248838d3b648bb21e","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}