MAL-2026-10030

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/opensea-sdk/MAL-2026-10030.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10030
Published
2026-07-09T15:16:48Z
Modified
2026-07-09T16:31:51.285116650Z
Summary
Malicious code in @wagni_bot/opensea-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (180731324517ae6b27ea40b119dba8f0ab1080a6662ea947f86e8c0de545b0cd)

Package impersonates the OpenSea SDK namespace (name @wagnibot/opensea-sdk, description "Unofficial opensea-sdk SDK") but ships no SDK functionality — its purpose is the postinstall.js dropper that runs automatically on npm install. postinstall.js walks the installer's home directory and crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching wallet/keystore/seed/mnemonic/private/pem/idrsa patterns; greps file contents for Ethereum/Bitcoin private-key and BIP39 seed-phrase shapes; reads every file under ~/.ssh (excluding known_hosts and *.pub); and filters process.env for names containing PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS. Each hit is POSTed together with os.hostname(), os.userInfo().username, and process.cwd() (plus up to 10KB of matched file content) via plain HTTP to the hardcoded bare-IP endpoint http://107.161.90.180:7777. Installing this package on a developer machine hands over SSH private keys, crypto wallet keystores/seed phrases, and secret environment variables to the operator of that endpoint.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "180731324517ae6b27ea40b119dba8f0ab1080a6662ea947f86e8c0de545b0cd",
            "id": "IN-MAL-2026-009057",
            "import_time": "2026-07-09T16:20:37.001985806Z",
            "modified_time": "2026-07-09T15:21:29Z",
            "versions": [
                "1.1.3"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "d56bf145287b480a0577ea59eeb574bb06e0d02b9b0edff8455e1ff80da1832f",
            "id": "IN-MAL-2026-009080",
            "import_time": "2026-07-09T16:20:39.008968199Z",
            "modified_time": "2026-07-09T15:25:14Z",
            "versions": [
                "1.1.5"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "fdf4e3b5fbb9ee046aa4d5448d1e218334d9ac301520bb1a476b66da5ab5ffea",
            "id": "IN-MAL-2026-009067",
            "modified_time": "2026-07-09T15:23:07Z",
            "versions": [
                "1.1.0"
            ],
            "import_time": "2026-07-09T16:20:37.892230148Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.1"
            ],
            "id": "IN-MAL-2026-009060",
            "import_time": "2026-07-09T16:20:37.238236156Z",
            "modified_time": "2026-07-09T15:21:55Z",
            "sha256": "2b7cba911e938df1773eac5fb6c8d1ddd516b240d3fd15bb76669be864f3c11f",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.4"
            ],
            "id": "IN-MAL-2026-009054",
            "import_time": "2026-07-09T16:20:36.766361147Z",
            "modified_time": "2026-07-09T15:21:02Z",
            "sha256": "2bb17ee14bcebc28314402ab5abb1f23fd63161c49ad9f5240ac6b12885adff7",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.2.0"
            ],
            "id": "IN-MAL-2026-009028",
            "import_time": "2026-07-09T16:20:33.713134211Z",
            "modified_time": "2026-07-09T15:16:48Z",
            "sha256": "33f13d814ee8aed088dc7fef1737db9d9946d49b043aa95e9ed1f9bd3a10ddaa",
            "source": "amazon-inspector"
        },
        {
            "sha256": "4567a95fc8efe5311a2394bcc04b64aba72ca8ce846790fc5d37b56f39847162",
            "id": "IN-MAL-2026-009073",
            "import_time": "2026-07-09T16:20:38.317505614Z",
            "modified_time": "2026-07-09T15:24:06Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/opensea-sdk

Package

Name
@wagni_bot/opensea-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/opensea-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.1.0
1.1.1
1.1.3
1.1.4
1.1.5
1.2.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "ef1ab14e4f432b72160bae8ac60ef8558bc3f05c0e5a0f21516dbcd8f9bac202",
            "tlsh": "2a7194f4b0a9115853e3b7f2671b3d12a56f85563b82d4f13bec9e002f699c4ca23439",
            "path": "postinstall.js"
        },
        {
            "tlsh": "69c08c000b05af322aa00be52d63cc6c84e102680008d50c0fc709ba8a527ea902e113",
            "sha256": "e7f4416be9edacf94b0d9b9a5a3022128e47de67c5a8530590f112e6da7c68fc",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "opensea-sdk-1.1.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-XpDF5DeY2sSWSkush0ODVFUittcj9Ys4pcvFWdL9fGnZsqZDT2bXB05dgGRolVSQ2RuZ+3Uy8oWrjLrHlySKSg==",
                "sha1": "e9b584473c6a106d47f0ab7018be2f9ea2fe1bbd"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/opensea-sdk/MAL-2026-10030.json"