registry  /  @wagni_bot/bsc-sdk  /  1.2.0

@wagni_bot/bsc-sdk@1.2.0

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10023 confirms this npm version as malicious. @wagni_bot/bsc-sdk@1.1.0 is a typosquat of BSC-SDK-family packages whose sole purpose is credential theft at install time. index.js exports an empty object; the package provides no advertised BNB Smart Chain functionality. The postinstall lifecycle script recursively scans the current working directory, the user's home directory, and ~/.ssh for files matching id_rsa, id_ed25519, *.pem, *.key, *.cred, and.env, and...

Advisory
MAL-2026-10023
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/bsc-sdk (npm)
Details
@wagni_bot/bsc-sdk@1.1.0 is a typosquat of BSC-SDK-family packages whose sole purpose is credential theft at install time. index.js exports an empty object; the package provides no advertised BNB Smart Chain functionality. The postinstall lifecycle script recursively scans the current working directory, the user's home directory, and ~/.ssh for files matching id_rsa, id_ed25519, *.pem, *.key, *.cred, and.env, and POSTs their contents to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. In parallel, it enumerates process.env for keys containing PRIVATE, SECRET, TOKEN, API_KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS and transmits the matching key=value pairs along with hostname, username, and cwd to the same endpoint. The destination is a plaintext HTTP bare IP on a non-standard port, consistent with throwaway stealer infrastructure. Every developer and CI runner that runs `npm install` on this package has their SSH private keys, PEM certificates, and credential-shaped environment variables shipped to the attacker.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/bsc-sdk@1.2.0 as malicious (MAL-2026-10023): Malicious code in @wagni_bot/bsc-sdk (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory