MAL-2026-10024

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/eth-agent/MAL-2026-10024.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10024
Published
2026-07-09T15:15:40Z
Modified
2026-07-09T16:31:56.267635201Z
Summary
Malicious code in @wagni_bot/eth-agent (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (08c234c984ea87a7d4c780dc8ddbc244926628e405ea0f7ac9798309260a6122)

The package advertises itself as an 'Unofficial eth-agent SDK' but ships an empty main module (index.js contains only module.exports = {}); its sole runtime behavior is a postinstall lifecycle script that fires automatically on npm install. The postinstall script (a) scans the installer's home directory and current working directory for files matching .pem, .key, id_rsa, id_ed25519, .cred, and .env, (b) walks ~/.ssh to collect SSH private keys, (c) iterates process.env collecting any variable whose name contains PRIVATE, SECRET, TOKEN, API_KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS, and (d) POSTs the collected contents along with hostname, username, and cwd to the hardcoded endpoint http://107.161.90.180:7777 over plain HTTP with no TLS and no authentication. Errors are silently swallowed. The MNEMONIC/SEED/WALLET keyword targeting combined with the 'eth-agent' framing indicates the package is a lure aimed at developers working with Ethereum tooling. Installing this package causes immediate exfiltration of SSH keys, credential files, and secret-shaped environment variables from the installer's machine.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "03e42c868cfcdc9ed37b2ddf6dfa6141aa03e38563b6985db559f98b6eb6d1d8",
            "id": "IN-MAL-2026-009021",
            "import_time": "2026-07-09T16:20:33.187947716Z",
            "modified_time": "2026-07-09T15:15:40Z",
            "versions": [
                "1.2.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.3"
            ],
            "id": "IN-MAL-2026-009026",
            "import_time": "2026-07-09T16:20:33.597139238Z",
            "modified_time": "2026-07-09T15:16:29Z",
            "sha256": "5d46415892919215eed071bdd66ba9a95e95ca5e81bfe55022abf0f36910319d",
            "source": "amazon-inspector"
        },
        {
            "sha256": "a44c949d55ca78d2c8a63129464171771decc48c12f7a0bacdde7c91822a8c2b",
            "id": "IN-MAL-2026-009055",
            "import_time": "2026-07-09T16:20:36.83279167Z",
            "modified_time": "2026-07-09T15:21:12Z",
            "versions": [
                "1.1.4"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-009074",
            "import_time": "2026-07-09T16:20:38.378349895Z",
            "modified_time": "2026-07-09T15:24:16Z",
            "sha256": "ec9dd5533310b4c6393d25622fbdd945c9347d85813da4f9cccdf313103b9516",
            "source": "amazon-inspector"
        },
        {
            "sha256": "04aad2fc52ba0f786600e686fa8809f5e1ae54882b119289f3f8d42d7038e7c7",
            "id": "IN-MAL-2026-009032",
            "import_time": "2026-07-09T16:20:33.968872855Z",
            "versions": [
                "1.1.5"
            ],
            "modified_time": "2026-07-09T15:17:31Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "08c234c984ea87a7d4c780dc8ddbc244926628e405ea0f7ac9798309260a6122",
            "id": "IN-MAL-2026-009072",
            "import_time": "2026-07-09T16:20:38.229493978Z",
            "versions": [
                "1.1.0"
            ],
            "modified_time": "2026-07-09T15:23:52Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "2c4729a80b5bf5b9251915cd285c3146bcee654db2068ad9a763478550643d10",
            "id": "IN-MAL-2026-009065",
            "import_time": "2026-07-09T16:20:37.742828939Z",
            "versions": [
                "1.1.1"
            ],
            "modified_time": "2026-07-09T15:22:48Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/eth-agent

Package

Name
@wagni_bot/eth-agent
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/eth-agent

Affected ranges

Affected versions

1.*
1.0.0
1.1.0
1.1.1
1.1.3
1.1.4
1.1.5
1.2.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654",
            "tlsh": "6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc",
            "path": "postinstall.js"
        },
        {
            "tlsh": "bdd05e204d505b3378c81bed1827416ba9f3491b10082a2837db2994430e27b987b21f",
            "sha256": "31a8dc1ad7854885c54491ac8b114e770d6294f01318fd5c7daf0cbf5874121b",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "eth-agent-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-gx+DBX1dOLO72E+z4bqM4gEdtv1Ks4DxD71B1WM5di/1pfWYBrgxbtZcxN+/4ILkKfM0UfCJ2dC0eYqoA4uuzg==",
                "sha1": "37681094a03077d79b9101816f095f4565853f1a"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/eth-agent/MAL-2026-10024.json"