-= Per source details. Do not edit below this line.=-
The package's postinstall.js runs unconditionally on npm install and scans the installer's current working directory and home directory — including ~/.ssh, ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.bitcoin, and ~/Library/Ethereum — for wallet keystores, PEM/SSH private keys (idrsa, ided25519,.pem,.key), and files matching seed/mnemonic/keystore/wallet/secret/private patterns. Matching file contents (truncated to 10000 bytes) plus a filtered subset of process.env (variables whose names contain PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS) are POSTed to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. Each request also carries os.hostname(), os.userInfo().username, and process.cwd() so the attacker can attribute the stolen secrets to a specific victim host. The advertised main (index.js) exports an empty object — the package has no legitimate functionality; the credential stealer is its only behavior. The name @wagni_bot/polygon-sdk with description 'Unofficial polygon-sdk SDK' impersonates the Polygon blockchain SDK ecosystem to attract crypto developers whose environments are especially likely to contain wallet keystores and seed phrases.
{
"malicious-packages-origins": [
{
"sha256": "08175e3395c5f9ca2060277990b8f2a3ca0b0c76fb7b617984a7851154d2d0a1",
"id": "IN-MAL-2026-009023",
"import_time": "2026-07-09T16:20:33.334188241Z",
"modified_time": "2026-07-09T15:16:00Z",
"versions": [
"1.1.5"
],
"source": "amazon-inspector"
},
{
"sha256": "0b8505aa9556e8a5cda038f6ccca378e1141c080f1745e6dfc246dd64a779048",
"id": "IN-MAL-2026-009051",
"modified_time": "2026-07-09T15:20:30Z",
"versions": [
"1.1.4"
],
"import_time": "2026-07-09T16:20:36.564843073Z",
"source": "amazon-inspector"
},
{
"sha256": "21057fe7bf57d07370e9d3864fdc96bcef3ce826661bcd36f036dc748283c956",
"id": "IN-MAL-2026-009079",
"import_time": "2026-07-09T16:20:38.951483534Z",
"modified_time": "2026-07-09T15:25:02Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector"
},
{
"sha256": "3b51be1207d0630482354c1080c1cbf25beffe3e0cb83f189a44aad2f5d932f6",
"id": "IN-MAL-2026-009061",
"import_time": "2026-07-09T16:20:37.309200251Z",
"modified_time": "2026-07-09T15:22:04Z",
"versions": [
"1.1.1"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.1.0"
],
"id": "IN-MAL-2026-009063",
"import_time": "2026-07-09T16:20:37.54281449Z",
"modified_time": "2026-07-09T15:22:24Z",
"sha256": "6a62845cf651614f2d1b7ee771bc313596eecf38857339cae14d23d95886087d",
"source": "amazon-inspector"
},
{
"sha256": "f85b2cfd5c419bda02db4b760641cc2ff9c9214b2e17cf6689bb7936866944e7",
"id": "IN-MAL-2026-009056",
"import_time": "2026-07-09T16:20:36.907371066Z",
"modified_time": "2026-07-09T15:21:20Z",
"versions": [
"1.1.3"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.2.0"
],
"id": "IN-MAL-2026-009017",
"import_time": "2026-07-09T16:20:32.94041606Z",
"modified_time": "2026-07-09T15:15:03Z",
"sha256": "f9ea8fe37b0fd16cf29e1210dc00124d06e00814cb51298993d4aade97655e55",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f",
"tlsh": "5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc",
"path": "postinstall.js"
},
{
"tlsh": "add05e204e505b33b8c81bed083b41aaa9f3491b501c692c57db2894874e37f98bb22e",
"sha256": "26568f72760885937f432fc4348f8aa37497cee0c4eb3d0d109e8d342bb1fcb7",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "polygon-sdk-1.1.5.tgz",
"hashes": {
"sha512_sri": "sha512-NLYDGe1Gh4dB48vE7Oaaee9h5FNKmwr7oMQ9w1rON9UQa7LvR0oZFRuEusCi2D98SVYobPTL3OiyUZwYuXbn0w==",
"sha1": "d9f686bdd52602590d1e1ebf8481251cd2d79585"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/polygon-sdk/MAL-2026-10032.json"