OSV Malicious Advisory
scanned 1h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10033 confirms this npm version as malicious. @wagni_bot/polymarket-sdk@1.1.3 is a credential-stealing package disguised as a Polymarket SDK. index.js exports an empty object; the package ships no advertised functionality. On `npm install`, scripts.postinstall triggers postinstall.js, which: (1) walks the current working directory, the user's home directory, and common crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching...
Advisory
MAL-2026-10033
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/polymarket-sdk (npm)
Details
@wagni_bot/polymarket-sdk@1.1.3 is a credential-stealing package disguised as a Polymarket SDK. index.js exports an empty object; the package ships no advertised functionality. On `npm install`, scripts.postinstall triggers postinstall.js, which: (1) walks the current working directory, the user's home directory, and common crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching keystore/wallet/seed/mnemonic/private/.pem/.key patterns, regex-matches Ethereum private keys, BTC WIF keys, and BIP39 mnemonics, and POSTs matches to a hardcoded bare-IP endpoint; (2) reads every file in ~/.ssh (excluding known_hosts, authorized_keys, and.pub files), harvesting id_rsa/id_ed25519 private keys, and POSTs each to the same endpoint; (3) enumerates process.env, filters for keys containing PRIVATE/SECRET/TOKEN/KEY/PASSWORD/MNEMONIC/SEED/WALLET/AWS, and exfiltrates name=value pairs together with hostname, username, and cwd. All traffic is sent over plain HTTP to http://107.161.90.180:7777. The package name impersonates a legitimate Polymarket SDK to attract developers likely to have crypto keys on disk.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/polymarket-sdk@1.1.4 as malicious (MAL-2026-10033): Malicious code in @wagni_bot/polymarket-sdk (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory