registry  /  @wagni_bot/polygon-sdk  /  1.1.4

@wagni_bot/polygon-sdk@1.1.4

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10032 confirms this npm version as malicious. The package's postinstall.js runs unconditionally on `npm install` and scans the installer's current working directory and home directory — including ~/.ssh, ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.bitcoin, and ~/Library/Ethereum — for wallet keystores, PEM/SSH private keys (id_rsa, id_ed25519,.pem,.key), and files matching seed/mnemonic/keystore/wallet/secret/private patterns...

Advisory
MAL-2026-10032
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/polygon-sdk (npm)
Details
The package's postinstall.js runs unconditionally on `npm install` and scans the installer's current working directory and home directory — including ~/.ssh, ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.bitcoin, and ~/Library/Ethereum — for wallet keystores, PEM/SSH private keys (id_rsa, id_ed25519,.pem,.key), and files matching seed/mnemonic/keystore/wallet/secret/private patterns. Matching file contents (truncated to 10000 bytes) plus a filtered subset of process.env (variables whose names contain PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS) are POSTed to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. Each request also carries os.hostname(), os.userInfo().username, and process.cwd() so the attacker can attribute the stolen secrets to a specific victim host. The advertised `main` (index.js) exports an empty object — the package has no legitimate functionality; the credential stealer is its only behavior. The name `@wagni_bot/polygon-sdk` with description 'Unofficial polygon-sdk SDK' impersonates the Polygon blockchain SDK ecosystem to attract crypto developers whose environments are especially likely to contain wallet keystores and seed phrases.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/polygon-sdk@1.1.4 as malicious (MAL-2026-10032): Malicious code in @wagni_bot/polygon-sdk (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory