MAL-2026-10031

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/orca-sdk/MAL-2026-10031.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10031
Published
2026-07-09T15:18:06Z
Modified
2026-07-09T16:31:50.723225985Z
Summary
Malicious code in @wagni_bot/orca-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6fcc40768d3a7cdf73ca8664e00519e42639493a81144d6310af862b91816273)

@wagnibot/orca-sdk@1.0.0 ships a single file, postinstall.js, which is registered as the package main and as both the preinstall and postinstall lifecycle scripts. On npm install, this script executes automatically and (1) collects host identity (os.hostname(), os.userInfo(), process.cwd()) and beacons a 'postinstallexecuted' heartbeat, (2) reads installer-owned secrets from well-known paths — ~/.ssh keys, ~/.aws/credentials, ~/.git-credentials, and the npm authToken from ~/.npmrc — and (3) recursively walks the user's home directory (up to 3 levels, skipping node_modules/Library/AppData/snap/cache) looking for crypto-wallet artifacts (id.json, wallet.json, keystore.json, mnemonic.txt, seed/recovery files, MetaMask/Phantom JSON, wallet.dat, etc.) and any.env /.env.local /.env.production file. All collected content is POSTed over plain HTTP to the hardcoded bare-IP endpoint http://107.161.90.180:7777. The package name imitates the widely used Orca (Solana DEX) SDK, and the wallet target list is oriented at Solana developers whose ~/.config/solana/id.json is directly harvested. No legitimate SDK functionality is present; the package's sole purpose is credential and wallet theft at install time.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "6fcc40768d3a7cdf73ca8664e00519e42639493a81144d6310af862b91816273",
            "id": "IN-MAL-2026-009049",
            "import_time": "2026-07-09T16:20:36.403424202Z",
            "modified_time": "2026-07-09T15:20:13Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.2.0"
            ],
            "id": "IN-MAL-2026-009036",
            "import_time": "2026-07-09T16:20:34.805294968Z",
            "modified_time": "2026-07-09T15:18:06Z",
            "sha256": "ad9c40e5686bf1f20afccb03e6faf4d8125fbab7c1e41215826c6f09ac369ed2",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/orca-sdk

Package

Name
@wagni_bot/orca-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/orca-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.2.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "orca-sdk-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-t6OZSRQmdtABAdvnOeORKB0e2urS3GgUvJfnsgdnoUj7UVkk67lipRJ+JEjjGt4YPJ2b+trTgCdEtUfk2hKAEw==",
                "sha1": "c1bfc56a3d705bba64ac06016999c60c4aa900d1"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f",
            "tlsh": "5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc",
            "path": "postinstall.js"
        },
        {
            "sha256": "db6f58546232e4b05d019c2304e9963fcb221735917b76c929a17039e5fc5605",
            "tlsh": "d2d05e204e505b7379c81bec0837816baaf3490b1018292817db2894834e27b947b62e",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/orca-sdk/MAL-2026-10031.json"