registry  /  @wagni_bot/solana-sdk  /  1.0.0

@wagni_bot/solana-sdk@1.0.0

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10035 confirms this npm version as malicious. Package @wagni_bot/solana-sdk impersonates a legitimate Solana SDK but contains no SDK functionality — `main` points at postinstall.js, which is a credential-harvesting payload that runs automatically on `npm install` via preinstall/postinstall hooks. On execution the script recursively walks the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet and secret files (id.json,...

Advisory
MAL-2026-10035
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/solana-sdk (npm)
Details
Package @wagni_bot/solana-sdk impersonates a legitimate Solana SDK but contains no SDK functionality — `main` points at postinstall.js, which is a credential-harvesting payload that runs automatically on `npm install` via preinstall/postinstall hooks. On execution the script recursively walks the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet and secret files (id.json, wallet.json, keypair.json, MetaMask/Phantom extension storage in Chrome/Brave/Edge profiles,.env, seed.txt, mnemonic.txt), and reads SSH private keys (~/.ssh/id_*), AWS credentials (~/.aws/credentials), git credentials,.npmrc,.netrc, and Solana/Ethereum keystores. Collected file contents (up to 10KB each) are bundled with os.hostname(), os.userInfo().username, and cwd, then POSTed in cleartext to http://107.161.90.180:7777. The package name typosquats the Solana SDK ecosystem to lure developers into installing the harvester.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/solana-sdk@1.0.0 as malicious (MAL-2026-10035): Malicious code in @wagni_bot/solana-sdk (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory