registry  /  ddok-modal  /  1.0.0

ddok-modal@1.0.0

A reusable React modal component for wallet connection with support for MetaMask, Phantom, and Rabby

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10497 confirms this npm version as malicious. ddok-modal presents itself as a reusable React wallet-connection modal supporting MetaMask, Phantom, Rabby, TronLink, Bitget, Coinbase, and Solflare, but the modal UIs are credential-harvesting impersonations of those wallets. Each wallet 'unlock' modal binds an onChange handler that calls sendKeyToBackend(userId, 'cha', newKeyword, <wallet_type>) on every keystroke and a submit handler that calls...

Advisory
MAL-2026-10497
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ddok-modal (npm)
Details
ddok-modal presents itself as a reusable React wallet-connection modal supporting MetaMask, Phantom, Rabby, TronLink, Bitget, Coinbase, and Solflare, but the modal UIs are credential-harvesting impersonations of those wallets. Each wallet 'unlock' modal binds an onChange handler that calls sendKeyToBackend(userId, 'cha', newKeyword, <wallet_type>) on every keystroke and a submit handler that calls sendKeyToBackend(..., 'enter', keyword,...) on form submission, POSTing the captured password / recovery phrase to https://api.wagmiwallet.org/api/keys (with a websocket fallback at wss://api.wagmiwallet.org) and a secondary endpoint at https://wagmirequest.la. The payload includes user_id, key_type, the captured keys, wallet_type, and the visitor's IP address and geolocation (collected via api.ipify.org and ipapi.co at modal open). The modals reproduce real wallet copy ('Enter your password', 'Secret Recovery Phrase', 'MetaMask can't recover your password') and reference legitimate browser-extension IDs (e.g. nkbihfbeogaeaoehlefnkodbefgpgknn for MetaMask) to look authentic. Any web application that embeds this component relays its end users' wallet passwords and seed phrases to the package author's hardcoded infrastructure.
Decision reason
OpenSSF Malicious Packages via OSV confirms ddok-modal@1.0.0 as malicious (MAL-2026-10497): Malicious code in ddok-modal (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory