OSV Malicious Advisory
scanned 1h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10036 confirms this npm version as malicious. On `npm install`, postinstall.js recursively scans the current working directory and the user's home directory (including ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.config/solana, ~/.bitcoin, ~/Library/Ethereum) for files matching wallet/key patterns (.pem,.key, id_rsa, id_ed25519, keystore, wallet, UTC--, seed, mnemonic, secret, private) and extracts Ethereum private keys, BTC WIF keys, PRIVATE_KEY references,...
Advisory
MAL-2026-10036
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/web3-agent (npm)
Details
On `npm install`, postinstall.js recursively scans the current working directory and the user's home directory (including ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.config/solana, ~/.bitcoin, ~/Library/Ethereum) for files matching wallet/key patterns (.pem,.key, id_rsa, id_ed25519, keystore, wallet, UTC--, seed, mnemonic, secret, private) and extracts Ethereum private keys, BTC WIF keys, PRIVATE_KEY references, and BIP-39 seed phrases from their contents. It also enumerates ~/.ssh and reads every file other than known_hosts/authorized_keys/*.pub (i.e., private SSH keys and ssh config), and filters process.env for keys containing PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS. The collected material, along with hostname, username, and cwd, is POSTed to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. The package's index.js exports an empty object (`module.exports = {}`) and the package.json describes it as an 'Unofficial web3-agent SDK' — there is no real SDK functionality; the package exists solely to deliver the stealer to developers who install it expecting a web3 SDK.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/web3-agent@1.1.0 as malicious (MAL-2026-10036): Malicious code in @wagni_bot/web3-agent (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory