MAL-2026-10022

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/binance-sdk/MAL-2026-10022.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10022
Published
2026-07-09T15:15:31Z
Modified
2026-07-09T16:31:55.696057473Z
Summary
Malicious code in @wagni_bot/binance-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ecce8bb9640527041b349f2309b950c39c04ed3b3d4de2477c43acc7144eeabc)

The package advertises itself as a Binance SDK but ships only postinstall.js, which is wired to both preinstall and postinstall lifecycle hooks. On npm install it recursively walks the user's home directory (up to depth 3) looking for cryptocurrency wallet and keystore files (id.json, wallet.json, keypair.json, keystore.json, privatekey.json, seed.txt, mnemonic.txt, metamask.json, phantom.json, etc.), reads ~/.aws/credentials, ~/.ssh/*, ~/.git-credentials, ~/.npmrc, and.env /.env.local /.env.production files, and POSTs the contents together with os.hostname() and os.userInfo() to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. There is no SDK functionality in the package — the Binance branding is a cover story to attract crypto developers whose machines are likely to contain wallet material. Any developer or CI system that runs npm install on this package will have their local wallet keystores, SSH keys, AWS credentials, git credentials, npm auth tokens, and environment secrets exfiltrated to the attacker.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "a036424a1b9fdfc85bc0d880fb09b8092b6c605211857b4e54c791129cd52704",
            "id": "IN-MAL-2026-009020",
            "import_time": "2026-07-09T16:20:33.139430128Z",
            "modified_time": "2026-07-09T15:15:31Z",
            "versions": [
                "1.2.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-009025",
            "import_time": "2026-07-09T16:20:33.452799016Z",
            "modified_time": "2026-07-09T15:16:19Z",
            "sha256": "ecce8bb9640527041b349f2309b950c39c04ed3b3d4de2477c43acc7144eeabc",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/binance-sdk

Package

Name
@wagni_bot/binance-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/binance-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.2.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "binance-sdk-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-vhKKjsmhEeBSg4zTxIOKlRx9fWN+oUv+SqLxfHzBUnPe+bN3Ph4VaexUfIN4hav9GIhmKAJsPdnXFG8iceC+aw==",
                "sha1": "276c6900fe842ae9e752c063b9969819046beaaa"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc",
            "sha256": "6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654",
            "path": "postinstall.js"
        },
        {
            "sha256": "68239ab870e6796bab81fe75e75713190514470651d4b5113b85cae512b6adfa",
            "tlsh": "fbd05e204e505b33b8c81bec0827416baaf3490b50182a2c17df2894434e2bb94bb72f",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/binance-sdk/MAL-2026-10022.json"