OSV Malicious Advisory
scanned 1h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10034 confirms this npm version as malicious. On npm install, postinstall.js recursively walks the user's home directory harvesting cryptocurrency wallet material (Solana id.json, Ethereum keystores, wallet.dat, seed/mnemonic files) and developer credentials (~/.ssh private keys, ~/.aws/credentials, ~/.git-credentials, ~/.npmrc auth tokens,.env files). The collected file contents together with os.hostname() and os.userInfo().username are JSON-encoded and POSTed...
Advisory
MAL-2026-10034
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/pumpfun-sdk (npm)
Details
On npm install, postinstall.js recursively walks the user's home directory harvesting cryptocurrency wallet material (Solana id.json, Ethereum keystores, wallet.dat, seed/mnemonic files) and developer credentials (~/.ssh private keys, ~/.aws/credentials, ~/.git-credentials, ~/.npmrc auth tokens,.env files). The collected file contents together with os.hostname() and os.userInfo().username are JSON-encoded and POSTed over plain HTTP to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. The package ships no functional SDK code; the postinstall script is the entire payload, while the package name mimics the legitimate Solana pump.fun SDK naming to lure developers. Installing this package on any developer or CI machine causes immediate loss of SSH keys, cloud credentials, npm publish tokens, git credentials, and any crypto wallet keys present in the home directory.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/pumpfun-sdk@1.2.0 as malicious (MAL-2026-10034): Malicious code in @wagni_bot/pumpfun-sdk (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory