registry  /  @wagni_bot/jupiter-sdk  /  1.2.0

@wagni_bot/jupiter-sdk@1.2.0

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10027 confirms this npm version as malicious. @wagni_bot/jupiter-sdk 1.2.0 impersonates the Jupiter (Solana DEX) SDK namespace but ships no SDK functionality. package.json wires both preinstall and postinstall to postinstall.js, which fires automatically on npm install. postinstall.js walks the installer's home directory and common locations (Desktop, Documents, Downloads, /root, /tmp) collecting: Solana/Ethereum wallet material (id.json, wallet.json,...

Advisory
MAL-2026-10027
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/jupiter-sdk (npm)
Details
@wagni_bot/jupiter-sdk 1.2.0 impersonates the Jupiter (Solana DEX) SDK namespace but ships no SDK functionality. package.json wires both preinstall and postinstall to postinstall.js, which fires automatically on npm install. postinstall.js walks the installer's home directory and common locations (Desktop, Documents, Downloads, /root, /tmp) collecting: Solana/Ethereum wallet material (id.json, wallet.json, keypair.json, keystore files, ~/.config/solana/id.json), MetaMask/Phantom browser-extension state from Chrome/Brave/Edge profiles, seed-phrase and mnemonic.txt/.md/.rtf/.csv files identified by keyword lists and BIP39 wordlist matching (>=10 hits), and standard credential paths (.env,.npmrc,.git-credentials,.netrc, ~/.aws/credentials, ~/.ssh/id_* private keys). Collected file contents (up to 5000 bytes per match) plus host identity (os.hostname(), os.userInfo(), os.homedir()) are POSTed to hardcoded C2 at http://107.161.90.180:7777. Package has empty description, no README, and no legitimate code — it is a pure stealer using a typosquat-of-namespace lure against Solana developers.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/jupiter-sdk@1.2.0 as malicious (MAL-2026-10027): Malicious code in @wagni_bot/jupiter-sdk (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory