MAL-2026-10025

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/ethereum-wallet/MAL-2026-10025.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10025
Published
2026-07-09T15:14:36Z
Modified
2026-07-09T16:31:56.860828127Z
Summary
Malicious code in @wagni_bot/ethereum-wallet (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (181ac4262af395234755b7e5755de0eff6cf084cab58c95e4660d3b2a66c385b)

@wagni_bot/ethereum-wallet@1.2.0 ships a single file postinstall.js that is wired to run automatically via both preinstall and postinstall npm lifecycle hooks (and is also set as package main). On install it recursively walks the user's home directory, Desktop, Documents, Downloads, /tmp, and /root looking for cryptocurrency wallet artifacts and credential files, including wallet.json, keystore.json, id.json, metamask.json, phantom.json, seed.txt, mnemonic.txt, private.key,.env files, credentials.json,.npmrc,.netrc,.git-credentials, ~/.ssh private keys, ~/.aws/credentials, and browser extension Local Storage directories for MetaMask and Phantom. It also scans.txt/.md files for BIP-39, seed, mnemonic, and password keywords in English and Spanish. Each matched file's contents (truncated to 10000 bytes) plus hostname, username, and cwd are POSTed to the hardcoded endpoint http://107.161.90.180:7777. The package has an empty description and no legitimate functionality beyond this harvester, and its name imitates generic wallet-utility packages to lure developers.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.2.0"
            ],
            "id": "IN-MAL-2026-009014",
            "import_time": "2026-07-09T16:20:32.749511301Z",
            "modified_time": "2026-07-09T15:14:36Z",
            "sha256": "181ac4262af395234755b7e5755de0eff6cf084cab58c95e4660d3b2a66c385b",
            "source": "amazon-inspector"
        },
        {
            "sha256": "2cfda5bb18b5f8877a8baaee233d198d8da5498c8a1b1e90e87623a49a7bcc51",
            "id": "IN-MAL-2026-009029",
            "import_time": "2026-07-09T16:20:33.761024429Z",
            "modified_time": "2026-07-09T15:16:59Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/ethereum-wallet

Package

Name
@wagni_bot/ethereum-wallet
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/ethereum-wallet

Affected ranges

Affected versions

1.*
1.0.0
1.2.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654",
            "tlsh": "6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc",
            "path": "postinstall.js"
        },
        {
            "sha256": "a7b7e443d2f321c3e4e7b50ffc4ee771e0ba4f0b7b71b2a4fcf5a62e24d486ae",
            "tlsh": "efd05e204e505b7378c81bed082741abaaf3491b51082a2827df2894430e27b987b21f",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "ethereum-wallet-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-J5AD+akCb9VZV4WuR75T/nC+8wLIrO5fTLsyUtk1OUTjSGUB6qMx3R+J7lrfp7RmjwW+lPQ4XLbZ0PrC0wUb5g==",
                "sha1": "279e450660572e6b6917d98a5517332b52a54e81"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/ethereum-wallet/MAL-2026-10025.json"