MAL-2026-10026

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/hyperliquid-sdk/MAL-2026-10026.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10026
Published
2026-07-09T15:17:49Z
Modified
2026-07-09T16:31:56.959456519Z
Summary
Malicious code in @wagni_bot/hyperliquid-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ca6ec83c9621f8afc9616d49876cc451ca8d99397d99288889b81298eb410d7e)

The package is scoped and named to impersonate the Hyperliquid exchange SDK (@wagni_bot/hyperliquid-sdk) but ships no SDK code — only a harvester in postinstall.js that is wired to run automatically on npm install via both preinstall and postinstall lifecycle hooks. On install, the script scans the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet-related artifacts (id.json, wallet.json, keystore.json, metamask.json, phantom.json, seed.txt, mnemonic.txt,.env, credentials.json,.npmrc,.git-credentials,.netrc), reads Solana/Ethereum keystores, ~/.ssh/ private keys, ~/.aws/credentials, ~/.git-credentials, and Chrome/Brave/Edge MetaMask and Phantom extension Local Extension Settings directories. It additionally reads user.txt/.md/.rtf/.csv files, tokenizes their content, and if 10 or more tokens match a BIP39 wordlist, uploads the file. All collected contents, along with hostname, username, and cwd, are POSTed to hardcoded endpoint http://107.161.90.180:7777. The package name impersonation targets crypto developers looking for the legitimate Hyperliquid SDK.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "1e14d014ce531c2ac67ad2161b85f8d80cd36d832a75498261c7e6a732d84e03",
            "id": "IN-MAL-2026-009045",
            "import_time": "2026-07-09T16:20:36.167378355Z",
            "modified_time": "2026-07-09T15:19:40Z",
            "versions": [
                "1.1.5"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-009077",
            "import_time": "2026-07-09T16:20:38.752309979Z",
            "modified_time": "2026-07-09T15:24:42Z",
            "sha256": "acb65c5406a7548eb967eaf83b160f0e4e7ec41540795e25c81fd899471da7ad",
            "source": "amazon-inspector"
        },
        {
            "sha256": "ad42a5ae741ef707d93ea139f44d4e092a7e636821f842246c9c5c3d4da02a04",
            "id": "IN-MAL-2026-009052",
            "import_time": "2026-07-09T16:20:36.627281756Z",
            "modified_time": "2026-07-09T15:20:41Z",
            "versions": [
                "1.1.4"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "ca6ec83c9621f8afc9616d49876cc451ca8d99397d99288889b81298eb410d7e",
            "id": "IN-MAL-2026-009044",
            "modified_time": "2026-07-09T15:19:29Z",
            "versions": [
                "1.2.0"
            ],
            "import_time": "2026-07-09T16:20:36.051945776Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "ee985df6bea9ffe959983fde092d996bd1bfc088d88364f0dd55839c033f301a",
            "id": "IN-MAL-2026-009066",
            "import_time": "2026-07-09T16:20:37.841963384Z",
            "modified_time": "2026-07-09T15:22:58Z",
            "versions": [
                "1.1.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "2adf8fbb987c388f63095955c060414b8b7bc6406393856c50a4d3d045936d2c",
            "id": "IN-MAL-2026-009059",
            "modified_time": "2026-07-09T15:21:46Z",
            "versions": [
                "1.1.1"
            ],
            "import_time": "2026-07-09T16:20:37.133888408Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "5a0924176ca46558d5c6f28aafb614e8271efdcf288a728176b6847853d76386",
            "id": "IN-MAL-2026-009034",
            "import_time": "2026-07-09T16:20:34.421669456Z",
            "modified_time": "2026-07-09T15:17:49Z",
            "versions": [
                "1.1.3"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/hyperliquid-sdk

Package

Name
@wagni_bot/hyperliquid-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/hyperliquid-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.1.0
1.1.1
1.1.3
1.1.4
1.1.5
1.2.0

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc",
            "sha256": "3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f",
            "path": "postinstall.js"
        },
        {
            "sha256": "43ea04ee39980c0159cf157318ca1c8b56879952cf4ecb57d5f803a705214eb9",
            "tlsh": "77d05e304e525b3378c81bed082b81aaa9f3490b511c792c57df2894874e27b947b62e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "hyperliquid-sdk-1.1.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-dldfFC3ujCt5TY6rYYeZKbJp115FjELOG+p/2ciLn0AkQ98G4w+1ivvwdLAMbOSLR/5Yoo6pyRXCqvgP34C64w==",
                "sha1": "68c3d69407d5202fe10439caab45f9f84cf96d9b"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/hyperliquid-sdk/MAL-2026-10026.json"