registry  /  @wagni_bot/opensea-sdk  /  1.1.5

@wagni_bot/opensea-sdk@1.1.5

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10030 confirms this npm version as malicious. Package impersonates the OpenSea SDK namespace (name @wagni_bot/opensea-sdk, description "Unofficial opensea-sdk SDK") but ships no SDK functionality — its purpose is the postinstall.js dropper that runs automatically on npm install. postinstall.js walks the installer's home directory and crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching...

Advisory
MAL-2026-10030
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/opensea-sdk (npm)
Details
Package impersonates the OpenSea SDK namespace (name @wagni_bot/opensea-sdk, description "Unofficial opensea-sdk SDK") but ships no SDK functionality — its purpose is the postinstall.js dropper that runs automatically on npm install. postinstall.js walks the installer's home directory and crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching wallet/keystore/seed/mnemonic/private/pem/id_rsa patterns; greps file contents for Ethereum/Bitcoin private-key and BIP39 seed-phrase shapes; reads every file under ~/.ssh (excluding known_hosts and *.pub); and filters process.env for names containing PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS. Each hit is POSTed together with os.hostname(), os.userInfo().username, and process.cwd() (plus up to 10KB of matched file content) via plain HTTP to the hardcoded bare-IP endpoint http://107.161.90.180:7777. Installing this package on a developer machine hands over SSH private keys, crypto wallet keystores/seed phrases, and secret environment variables to the operator of that endpoint.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/opensea-sdk@1.1.5 as malicious (MAL-2026-10030): Malicious code in @wagni_bot/opensea-sdk (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory