MAL-2026-10027

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/jupiter-sdk/MAL-2026-10027.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10027
Published
2026-07-09T15:19:21Z
Modified
2026-07-09T16:31:50.084145617Z
Summary
Malicious code in @wagni_bot/jupiter-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (39a61b5c33c6e519d3754f8518272984d1bf3bc2045e4f288ad36ac837d0ecf0)

@wagnibot/jupiter-sdk 1.2.0 impersonates the Jupiter (Solana DEX) SDK namespace but ships no SDK functionality. package.json wires both preinstall and postinstall to postinstall.js, which fires automatically on npm install. postinstall.js walks the installer's home directory and common locations (Desktop, Documents, Downloads, /root, /tmp) collecting: Solana/Ethereum wallet material (id.json, wallet.json, keypair.json, keystore files, ~/.config/solana/id.json), MetaMask/Phantom browser-extension state from Chrome/Brave/Edge profiles, seed-phrase and mnemonic.txt/.md/.rtf/.csv files identified by keyword lists and BIP39 wordlist matching (>=10 hits), and standard credential paths (.env,.npmrc,.git-credentials,.netrc, ~/.aws/credentials, ~/.ssh/id* private keys). Collected file contents (up to 5000 bytes per match) plus host identity (os.hostname(), os.userInfo(), os.homedir()) are POSTed to hardcoded C2 at http://107.161.90.180:7777. Package has empty description, no README, and no legitimate code — it is a pure stealer using a typosquat-of-namespace lure against Solana developers.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.2.0"
            ],
            "sha256": "39a61b5c33c6e519d3754f8518272984d1bf3bc2045e4f288ad36ac837d0ecf0",
            "import_time": "2026-07-09T16:20:35.941918197Z",
            "modified_time": "2026-07-09T15:19:21Z",
            "id": "IN-MAL-2026-009043",
            "source": "amazon-inspector"
        },
        {
            "modified_time": "2026-07-09T15:25:38Z",
            "sha256": "bdd44b7f03aec6fe22cce9deeba6f7d00c3ed619a36387f29f5359a19b34e483",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-07-09T16:20:39.164178853Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-009083"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/jupiter-sdk

Package

Name
@wagni_bot/jupiter-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/jupiter-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.2.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "jupiter-sdk-1.2.0.tgz",
            "hashes": {
                "sha1": "571ef185bb25dce55123208a8329883f4cd4be61",
                "sha512_sri": "sha512-vN84WvPGVqekiBZIpmRr4GM7nBOd3zxczzXKCCP+MZk84WfqZ5Lwd8KW2nYs6pqyGJFNQRlyuPO9fnPq67tNzg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc",
            "sha256": "6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654",
            "path": "postinstall.js"
        },
        {
            "tlsh": "50d05e204e505f3378c81bec0827416aa9f3490f5018692817df3994830e27b94bb62f",
            "sha256": "0b663a915f45d8754783e6c87ed678cae8889490eb77b45f4c173cc9e7ced4bb",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/jupiter-sdk/MAL-2026-10027.json"