registry  /  @wagni_bot/meteora-sdk  /  1.2.0

@wagni_bot/meteora-sdk@1.2.0

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10029 confirms this npm version as malicious. The package ships a single file postinstall.js that is wired to run at both preinstall and postinstall (and is also the package main, so require() triggers it). On install it walks user home directories, Desktop/Documents/Downloads, and /root looking for wallet/keystore/seed files,.env, ~/.aws/credentials, ~/.ssh/id_*, ~/.git-credentials, Solana id.json, Ethereum keystore JSON, and Chrome/Brave/Edge MetaMask/Phantom...

Advisory
MAL-2026-10029
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/meteora-sdk (npm)
Details
The package ships a single file postinstall.js that is wired to run at both preinstall and postinstall (and is also the package main, so require() triggers it). On install it walks user home directories, Desktop/Documents/Downloads, and /root looking for wallet/keystore/seed files,.env, ~/.aws/credentials, ~/.ssh/id_*, ~/.git-credentials, Solana id.json, Ethereum keystore JSON, and Chrome/Brave/Edge MetaMask/Phantom extension storage, and POSTs the file bytes together with hostname, username, and cwd to http://107.161.90.180:7777. It additionally scans.txt/.md/.rtf/.csv files for BIP39 wordlist matches and Spanish/English seed-phrase keywords ('seed','mnemonic','semilla','frase','clave privada', etc.) and uploads any matches to the same endpoint. The package name impersonates the Meteora Solana SDK namespace (@meteora-ag/*) but ships no SDK code — the harvester is the entire package.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/meteora-sdk@1.2.0 as malicious (MAL-2026-10029): Malicious code in @wagni_bot/meteora-sdk (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory