registry  /  @wagni_bot/ethereum-wallet  /  1.2.0

@wagni_bot/ethereum-wallet@1.2.0

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10025 confirms this npm version as malicious. @wagni_bot/ethereum-wallet@1.2.0 ships a single file postinstall.js that is wired to run automatically via both preinstall and postinstall npm lifecycle hooks (and is also set as package main). On install it recursively walks the user's home directory, Desktop, Documents, Downloads, /tmp, and /root looking for cryptocurrency wallet artifacts and credential files, including wallet.json, keystore.json, id.json,...

Advisory
MAL-2026-10025
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/ethereum-wallet (npm)
Details
@wagni_bot/ethereum-wallet@1.2.0 ships a single file postinstall.js that is wired to run automatically via both preinstall and postinstall npm lifecycle hooks (and is also set as package main). On install it recursively walks the user's home directory, Desktop, Documents, Downloads, /tmp, and /root looking for cryptocurrency wallet artifacts and credential files, including wallet.json, keystore.json, id.json, metamask.json, phantom.json, seed.txt, mnemonic.txt, private.key,.env files, credentials.json,.npmrc,.netrc,.git-credentials, ~/.ssh private keys, ~/.aws/credentials, and browser extension Local Storage directories for MetaMask and Phantom. It also scans.txt/.md files for BIP-39, seed, mnemonic, and password keywords in English and Spanish. Each matched file's contents (truncated to 10000 bytes) plus hostname, username, and cwd are POSTed to the hardcoded endpoint http://107.161.90.180:7777. The package has an empty description and no legitimate functionality beyond this harvester, and its name imitates generic wallet-utility packages to lure developers.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/ethereum-wallet@1.2.0 as malicious (MAL-2026-10025): Malicious code in @wagni_bot/ethereum-wallet (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory