registry  /  @wagni_bot/orca-sdk  /  1.2.0

@wagni_bot/orca-sdk@1.2.0

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10031 confirms this npm version as malicious. @wagni_bot/orca-sdk@1.0.0 ships a single file, postinstall.js, which is registered as the package main and as both the preinstall and postinstall lifecycle scripts. On `npm install`, this script executes automatically and (1) collects host identity (os.hostname(), os.userInfo(), process.cwd()) and beacons a 'postinstall_executed' heartbeat, (2) reads installer-owned secrets from well-known paths — ~/.ssh keys,...

Advisory
MAL-2026-10031
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/orca-sdk (npm)
Details
@wagni_bot/orca-sdk@1.0.0 ships a single file, postinstall.js, which is registered as the package main and as both the preinstall and postinstall lifecycle scripts. On `npm install`, this script executes automatically and (1) collects host identity (os.hostname(), os.userInfo(), process.cwd()) and beacons a 'postinstall_executed' heartbeat, (2) reads installer-owned secrets from well-known paths — ~/.ssh keys, ~/.aws/credentials, ~/.git-credentials, and the npm authToken from ~/.npmrc — and (3) recursively walks the user's home directory (up to 3 levels, skipping node_modules/Library/AppData/snap/cache) looking for crypto-wallet artifacts (id.json, wallet.json, keystore.json, mnemonic.txt, seed/recovery files, MetaMask/Phantom JSON, wallet.dat, etc.) and any.env /.env.local /.env.production file. All collected content is POSTed over plain HTTP to the hardcoded bare-IP endpoint http://107.161.90.180:7777. The package name imitates the widely used Orca (Solana DEX) SDK, and the wallet target list is oriented at Solana developers whose ~/.config/solana/id.json is directly harvested. No legitimate SDK functionality is present; the package's sole purpose is credential and wallet theft at install time.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/orca-sdk@1.2.0 as malicious (MAL-2026-10031): Malicious code in @wagni_bot/orca-sdk (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory