-= Per source details. Do not edit below this line.=-
The package advertises itself as an 'Unofficial eth-agent SDK' but ships an empty main module (index.js contains only module.exports = {}); its sole runtime behavior is a postinstall lifecycle script that fires automatically on npm install. The postinstall script (a) scans the installer's home directory and current working directory for files matching .pem, .key, id_rsa, id_ed25519, .cred, and .env, (b) walks ~/.ssh to collect SSH private keys, (c) iterates process.env collecting any variable whose name contains PRIVATE, SECRET, TOKEN, API_KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS, and (d) POSTs the collected contents along with hostname, username, and cwd to the hardcoded endpoint http://107.161.90.180:7777 over plain HTTP with no TLS and no authentication. Errors are silently swallowed. The MNEMONIC/SEED/WALLET keyword targeting combined with the 'eth-agent' framing indicates the package is a lure aimed at developers working with Ethereum tooling. Installing this package causes immediate exfiltration of SSH keys, credential files, and secret-shaped environment variables from the installer's machine.
{
"malicious-packages-origins": [
{
"sha256": "03e42c868cfcdc9ed37b2ddf6dfa6141aa03e38563b6985db559f98b6eb6d1d8",
"id": "IN-MAL-2026-009021",
"import_time": "2026-07-09T16:20:33.187947716Z",
"modified_time": "2026-07-09T15:15:40Z",
"versions": [
"1.2.0"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.1.3"
],
"id": "IN-MAL-2026-009026",
"import_time": "2026-07-09T16:20:33.597139238Z",
"modified_time": "2026-07-09T15:16:29Z",
"sha256": "5d46415892919215eed071bdd66ba9a95e95ca5e81bfe55022abf0f36910319d",
"source": "amazon-inspector"
},
{
"sha256": "a44c949d55ca78d2c8a63129464171771decc48c12f7a0bacdde7c91822a8c2b",
"id": "IN-MAL-2026-009055",
"import_time": "2026-07-09T16:20:36.83279167Z",
"modified_time": "2026-07-09T15:21:12Z",
"versions": [
"1.1.4"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-009074",
"import_time": "2026-07-09T16:20:38.378349895Z",
"modified_time": "2026-07-09T15:24:16Z",
"sha256": "ec9dd5533310b4c6393d25622fbdd945c9347d85813da4f9cccdf313103b9516",
"source": "amazon-inspector"
},
{
"sha256": "04aad2fc52ba0f786600e686fa8809f5e1ae54882b119289f3f8d42d7038e7c7",
"id": "IN-MAL-2026-009032",
"import_time": "2026-07-09T16:20:33.968872855Z",
"versions": [
"1.1.5"
],
"modified_time": "2026-07-09T15:17:31Z",
"source": "amazon-inspector"
},
{
"sha256": "08c234c984ea87a7d4c780dc8ddbc244926628e405ea0f7ac9798309260a6122",
"id": "IN-MAL-2026-009072",
"import_time": "2026-07-09T16:20:38.229493978Z",
"versions": [
"1.1.0"
],
"modified_time": "2026-07-09T15:23:52Z",
"source": "amazon-inspector"
},
{
"sha256": "2c4729a80b5bf5b9251915cd285c3146bcee654db2068ad9a763478550643d10",
"id": "IN-MAL-2026-009065",
"import_time": "2026-07-09T16:20:37.742828939Z",
"versions": [
"1.1.1"
],
"modified_time": "2026-07-09T15:22:48Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654",
"tlsh": "6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc",
"path": "postinstall.js"
},
{
"tlsh": "bdd05e204d505b3378c81bed1827416ba9f3491b10082a2837db2994430e27b987b21f",
"sha256": "31a8dc1ad7854885c54491ac8b114e770d6294f01318fd5c7daf0cbf5874121b",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "eth-agent-1.2.0.tgz",
"hashes": {
"sha512_sri": "sha512-gx+DBX1dOLO72E+z4bqM4gEdtv1Ks4DxD71B1WM5di/1pfWYBrgxbtZcxN+/4ILkKfM0UfCJ2dC0eYqoA4uuzg==",
"sha1": "37681094a03077d79b9101816f095f4565853f1a"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/eth-agent/MAL-2026-10024.json"