OSV Malicious Advisory
scanned 1h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10035 confirms this npm version as malicious. Package @wagni_bot/solana-sdk impersonates a legitimate Solana SDK but contains no SDK functionality — `main` points at postinstall.js, which is a credential-harvesting payload that runs automatically on `npm install` via preinstall/postinstall hooks. On execution the script recursively walks the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet and secret files (id.json,...
Advisory
MAL-2026-10035
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/solana-sdk (npm)
Details
Package @wagni_bot/solana-sdk impersonates a legitimate Solana SDK but contains no SDK functionality — `main` points at postinstall.js, which is a credential-harvesting payload that runs automatically on `npm install` via preinstall/postinstall hooks. On execution the script recursively walks the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet and secret files (id.json, wallet.json, keypair.json, MetaMask/Phantom extension storage in Chrome/Brave/Edge profiles,.env, seed.txt, mnemonic.txt), and reads SSH private keys (~/.ssh/id_*), AWS credentials (~/.aws/credentials), git credentials,.npmrc,.netrc, and Solana/Ethereum keystores. Collected file contents (up to 10KB each) are bundled with os.hostname(), os.userInfo().username, and cwd, then POSTed in cleartext to http://107.161.90.180:7777. The package name typosquats the Solana SDK ecosystem to lure developers into installing the harvester.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/solana-sdk@1.0.0 as malicious (MAL-2026-10035): Malicious code in @wagni_bot/solana-sdk (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory