-= Per source details. Do not edit below this line.=-
@wagnibot/bsc-sdk@1.1.0 is a typosquat of BSC-SDK-family packages whose sole purpose is credential theft at install time. index.js exports an empty object; the package provides no advertised BNB Smart Chain functionality. The postinstall lifecycle script recursively scans the current working directory, the user's home directory, and ~/.ssh for files matching idrsa, ided25519, *.pem, *.key, *.cred, and.env, and POSTs their contents to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. In parallel, it enumerates process.env for keys containing PRIVATE, SECRET, TOKEN, APIKEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS and transmits the matching key=value pairs along with hostname, username, and cwd to the same endpoint. The destination is a plaintext HTTP bare IP on a non-standard port, consistent with throwaway stealer infrastructure. Every developer and CI runner that runs npm install on this package has their SSH private keys, PEM certificates, and credential-shaped environment variables shipped to the attacker.
{
"malicious-packages-origins": [
{
"sha256": "01e01daf028cc2f0fcf1ea2b6bc4500a123febdb5656bfa1f80ce675e96d7798",
"id": "IN-MAL-2026-009042",
"import_time": "2026-07-09T16:20:35.853833944Z",
"modified_time": "2026-07-09T15:19:07Z",
"versions": [
"1.2.0"
],
"source": "amazon-inspector"
},
{
"sha256": "315cebf0b6c9fed4a189fff2b0cd6c292e870150deeb5d6a43067972c43b54e6",
"id": "IN-MAL-2026-009058",
"modified_time": "2026-07-09T15:21:39Z",
"versions": [
"1.1.3"
],
"import_time": "2026-07-09T16:20:37.074404884Z",
"source": "amazon-inspector"
},
{
"versions": [
"1.1.1"
],
"id": "IN-MAL-2026-009062",
"import_time": "2026-07-09T16:20:37.455187713Z",
"modified_time": "2026-07-09T15:22:13Z",
"sha256": "4cead275a720b5cfe0cabc4cb264a1ca1840473e9368c5174e886bb7dbc5a939",
"source": "amazon-inspector"
},
{
"sha256": "584f507a0470ea912e3a84a54a7c2f86aab44e6717f6ea9736121d54f073891a",
"id": "IN-MAL-2026-009046",
"modified_time": "2026-07-09T15:19:47Z",
"versions": [
"1.1.4"
],
"import_time": "2026-07-09T16:20:36.221502742Z",
"source": "amazon-inspector"
},
{
"sha256": "68707229cc80d6db8fe3b087a40601cdbd8b23bcda9a3030ede4e0ac85fe0cf8",
"id": "IN-MAL-2026-009070",
"modified_time": "2026-07-09T15:23:34Z",
"versions": [
"1.1.0"
],
"import_time": "2026-07-09T16:20:38.099144938Z",
"source": "amazon-inspector"
},
{
"sha256": "6dd15e1f251a2897f0cb347c79e4443c00a9cefdce96275b91f379c4bd0ce93f",
"id": "IN-MAL-2026-009031",
"import_time": "2026-07-09T16:20:33.917438787Z",
"versions": [
"1.1.5"
],
"modified_time": "2026-07-09T15:17:19Z",
"source": "amazon-inspector"
},
{
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-009041",
"import_time": "2026-07-09T16:20:35.797613686Z",
"modified_time": "2026-07-09T15:18:59Z",
"sha256": "83881f27f5d074f0086d86e1215f8df95a1decf65057bf2b6a6db74b7aa7591f",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654",
"tlsh": "6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc",
"path": "postinstall.js"
},
{
"sha256": "16456008841becc588786645c2134953259cd2849297553ac0d0f83660ddab9a",
"tlsh": "b2d05e204e515b3378c81bec0827416aa9f3490b1018292857df2894430e2bb947b72f",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "bsc-sdk-1.2.0.tgz",
"hashes": {
"sha512_sri": "sha512-dJCW0I5wnLRHfp8qOYxvZkq7kkJTJhoha0mxSpc1Asb/VY7hVXoL7ffrlBcLfpF3u1/W5hvGFdymsUwOCtlbCw==",
"sha1": "12effddffe3a375f1230cfe0a3453b7269347a12"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/bsc-sdk/MAL-2026-10023.json"