registry  /  @wagni_bot/web3-toolkit  /  1.2.0

@wagni_bot/web3-toolkit@1.2.0

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10037 confirms this npm version as malicious. The package installs a postinstall.js payload wired to both preinstall and postinstall lifecycle hooks (and to main), so it runs automatically on `npm install`. On execution it walks the user's home directory and OS-specific paths and reads files matching wallet, keystore, seed, mnemonic, and credential patterns — including.env, ~/.npmrc, ~/.aws/credentials, ~/.ssh/id_*, ~/.git-credentials, ~/.netrc, Solana...

Advisory
MAL-2026-10037
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wagni_bot/web3-toolkit (npm)
Details
The package installs a postinstall.js payload wired to both preinstall and postinstall lifecycle hooks (and to main), so it runs automatically on `npm install`. On execution it walks the user's home directory and OS-specific paths and reads files matching wallet, keystore, seed, mnemonic, and credential patterns — including.env, ~/.npmrc, ~/.aws/credentials, ~/.ssh/id_*, ~/.git-credentials, ~/.netrc, Solana id.json/keypair.json, Ethereum keystores, and browser wallet extension storage for MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn), Phantom, and similar extensions. It also scans.txt/.md/.rtf/.csv files across Desktop, Documents, and Downloads (including localized directory names), matches contents against an embedded BIP-39 wordlist to detect seed-phrase backups, and POSTs matching file contents plus host/user identifiers (os.hostname(), os.userInfo(), os.homedir()) over plain HTTP to a hardcoded remote endpoint at http://107.161.90.180:7777. The package.json description is empty and the package ships no legitimate functionality; the web3-themed scoped name is a lure targeting crypto developers.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wagni_bot/web3-toolkit@1.2.0 as malicious (MAL-2026-10037): Malicious code in @wagni_bot/web3-toolkit (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory