MAL-2026-10029

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/meteora-sdk/MAL-2026-10029.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10029
Published
2026-07-09T15:15:13Z
Modified
2026-07-09T16:31:50.602309351Z
Summary
Malicious code in @wagni_bot/meteora-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3c9ce73824df41724095566c21d7ff98309575f9fc77c330606559bf5d194ab5)

The package ships a single file postinstall.js that is wired to run at both preinstall and postinstall (and is also the package main, so require() triggers it). On install it walks user home directories, Desktop/Documents/Downloads, and /root looking for wallet/keystore/seed files,.env, ~/.aws/credentials, ~/.ssh/id_*, ~/.git-credentials, Solana id.json, Ethereum keystore JSON, and Chrome/Brave/Edge MetaMask/Phantom extension storage, and POSTs the file bytes together with hostname, username, and cwd to http://107.161.90.180:7777. It additionally scans.txt/.md/.rtf/.csv files for BIP39 wordlist matches and Spanish/English seed-phrase keywords ('seed','mnemonic','semilla','frase','clave privada', etc.) and uploads any matches to the same endpoint. The package name impersonates the Meteora Solana SDK namespace (@meteora-ag/*) but ships no SDK code — the harvester is the entire package.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-009081",
            "import_time": "2026-07-09T16:20:39.062600229Z",
            "modified_time": "2026-07-09T15:25:22Z",
            "sha256": "1d3ae2d3843dbeacfc94629514cabf649c762c80cb0083af626575400e2e20ff",
            "source": "amazon-inspector"
        },
        {
            "sha256": "3c9ce73824df41724095566c21d7ff98309575f9fc77c330606559bf5d194ab5",
            "id": "IN-MAL-2026-009018",
            "import_time": "2026-07-09T16:20:33.011709357Z",
            "modified_time": "2026-07-09T15:15:13Z",
            "versions": [
                "1.2.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/meteora-sdk

Package

Name
@wagni_bot/meteora-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/meteora-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.2.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "meteora-sdk-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-g7RQ3y03lNMVi1D03nbH6fa3YiTF+QGV83G+RaTGRHLgUdNBJez4e0Z1Da6JN9b8B1zRg4DUU9/B26qJxdet9w==",
                "sha1": "0b925b023166fd424affe3c6e20760574366e93d"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f",
            "tlsh": "5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc",
            "path": "postinstall.js"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/meteora-sdk/MAL-2026-10029.json"