MAL-2026-10023

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/bsc-sdk/MAL-2026-10023.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10023
Published
2026-07-09T15:17:19Z
Modified
2026-07-09T16:31:56.669187341Z
Summary
Malicious code in @wagni_bot/bsc-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (68707229cc80d6db8fe3b087a40601cdbd8b23bcda9a3030ede4e0ac85fe0cf8)

@wagnibot/bsc-sdk@1.1.0 is a typosquat of BSC-SDK-family packages whose sole purpose is credential theft at install time. index.js exports an empty object; the package provides no advertised BNB Smart Chain functionality. The postinstall lifecycle script recursively scans the current working directory, the user's home directory, and ~/.ssh for files matching idrsa, ided25519, *.pem, *.key, *.cred, and.env, and POSTs their contents to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. In parallel, it enumerates process.env for keys containing PRIVATE, SECRET, TOKEN, APIKEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS and transmits the matching key=value pairs along with hostname, username, and cwd to the same endpoint. The destination is a plaintext HTTP bare IP on a non-standard port, consistent with throwaway stealer infrastructure. Every developer and CI runner that runs npm install on this package has their SSH private keys, PEM certificates, and credential-shaped environment variables shipped to the attacker.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "01e01daf028cc2f0fcf1ea2b6bc4500a123febdb5656bfa1f80ce675e96d7798",
            "id": "IN-MAL-2026-009042",
            "import_time": "2026-07-09T16:20:35.853833944Z",
            "modified_time": "2026-07-09T15:19:07Z",
            "versions": [
                "1.2.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "315cebf0b6c9fed4a189fff2b0cd6c292e870150deeb5d6a43067972c43b54e6",
            "id": "IN-MAL-2026-009058",
            "modified_time": "2026-07-09T15:21:39Z",
            "versions": [
                "1.1.3"
            ],
            "import_time": "2026-07-09T16:20:37.074404884Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.1"
            ],
            "id": "IN-MAL-2026-009062",
            "import_time": "2026-07-09T16:20:37.455187713Z",
            "modified_time": "2026-07-09T15:22:13Z",
            "sha256": "4cead275a720b5cfe0cabc4cb264a1ca1840473e9368c5174e886bb7dbc5a939",
            "source": "amazon-inspector"
        },
        {
            "sha256": "584f507a0470ea912e3a84a54a7c2f86aab44e6717f6ea9736121d54f073891a",
            "id": "IN-MAL-2026-009046",
            "modified_time": "2026-07-09T15:19:47Z",
            "versions": [
                "1.1.4"
            ],
            "import_time": "2026-07-09T16:20:36.221502742Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "68707229cc80d6db8fe3b087a40601cdbd8b23bcda9a3030ede4e0ac85fe0cf8",
            "id": "IN-MAL-2026-009070",
            "modified_time": "2026-07-09T15:23:34Z",
            "versions": [
                "1.1.0"
            ],
            "import_time": "2026-07-09T16:20:38.099144938Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "6dd15e1f251a2897f0cb347c79e4443c00a9cefdce96275b91f379c4bd0ce93f",
            "id": "IN-MAL-2026-009031",
            "import_time": "2026-07-09T16:20:33.917438787Z",
            "versions": [
                "1.1.5"
            ],
            "modified_time": "2026-07-09T15:17:19Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-009041",
            "import_time": "2026-07-09T16:20:35.797613686Z",
            "modified_time": "2026-07-09T15:18:59Z",
            "sha256": "83881f27f5d074f0086d86e1215f8df95a1decf65057bf2b6a6db74b7aa7591f",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/bsc-sdk

Package

Name
@wagni_bot/bsc-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/bsc-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.1.0
1.1.1
1.1.3
1.1.4
1.1.5
1.2.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654",
            "tlsh": "6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc",
            "path": "postinstall.js"
        },
        {
            "sha256": "16456008841becc588786645c2134953259cd2849297553ac0d0f83660ddab9a",
            "tlsh": "b2d05e204e515b3378c81bec0827416aa9f3490b1018292857df2894430e2bb947b72f",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "bsc-sdk-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-dJCW0I5wnLRHfp8qOYxvZkq7kkJTJhoha0mxSpc1Asb/VY7hVXoL7ffrlBcLfpF3u1/W5hvGFdymsUwOCtlbCw==",
                "sha1": "12effddffe3a375f1230cfe0a3453b7269347a12"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/bsc-sdk/MAL-2026-10023.json"