MAL-2026-10032

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/polygon-sdk/MAL-2026-10032.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10032
Published
2026-07-09T15:15:03Z
Modified
2026-07-09T16:31:50.941539750Z
Summary
Malicious code in @wagni_bot/polygon-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f85b2cfd5c419bda02db4b760641cc2ff9c9214b2e17cf6689bb7936866944e7)

The package's postinstall.js runs unconditionally on npm install and scans the installer's current working directory and home directory — including ~/.ssh, ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.bitcoin, and ~/Library/Ethereum — for wallet keystores, PEM/SSH private keys (idrsa, ided25519,.pem,.key), and files matching seed/mnemonic/keystore/wallet/secret/private patterns. Matching file contents (truncated to 10000 bytes) plus a filtered subset of process.env (variables whose names contain PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS) are POSTed to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. Each request also carries os.hostname(), os.userInfo().username, and process.cwd() so the attacker can attribute the stolen secrets to a specific victim host. The advertised main (index.js) exports an empty object — the package has no legitimate functionality; the credential stealer is its only behavior. The name @wagni_bot/polygon-sdk with description 'Unofficial polygon-sdk SDK' impersonates the Polygon blockchain SDK ecosystem to attract crypto developers whose environments are especially likely to contain wallet keystores and seed phrases.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "08175e3395c5f9ca2060277990b8f2a3ca0b0c76fb7b617984a7851154d2d0a1",
            "id": "IN-MAL-2026-009023",
            "import_time": "2026-07-09T16:20:33.334188241Z",
            "modified_time": "2026-07-09T15:16:00Z",
            "versions": [
                "1.1.5"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "0b8505aa9556e8a5cda038f6ccca378e1141c080f1745e6dfc246dd64a779048",
            "id": "IN-MAL-2026-009051",
            "modified_time": "2026-07-09T15:20:30Z",
            "versions": [
                "1.1.4"
            ],
            "import_time": "2026-07-09T16:20:36.564843073Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "21057fe7bf57d07370e9d3864fdc96bcef3ce826661bcd36f036dc748283c956",
            "id": "IN-MAL-2026-009079",
            "import_time": "2026-07-09T16:20:38.951483534Z",
            "modified_time": "2026-07-09T15:25:02Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "3b51be1207d0630482354c1080c1cbf25beffe3e0cb83f189a44aad2f5d932f6",
            "id": "IN-MAL-2026-009061",
            "import_time": "2026-07-09T16:20:37.309200251Z",
            "modified_time": "2026-07-09T15:22:04Z",
            "versions": [
                "1.1.1"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.0"
            ],
            "id": "IN-MAL-2026-009063",
            "import_time": "2026-07-09T16:20:37.54281449Z",
            "modified_time": "2026-07-09T15:22:24Z",
            "sha256": "6a62845cf651614f2d1b7ee771bc313596eecf38857339cae14d23d95886087d",
            "source": "amazon-inspector"
        },
        {
            "sha256": "f85b2cfd5c419bda02db4b760641cc2ff9c9214b2e17cf6689bb7936866944e7",
            "id": "IN-MAL-2026-009056",
            "import_time": "2026-07-09T16:20:36.907371066Z",
            "modified_time": "2026-07-09T15:21:20Z",
            "versions": [
                "1.1.3"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.2.0"
            ],
            "id": "IN-MAL-2026-009017",
            "import_time": "2026-07-09T16:20:32.94041606Z",
            "modified_time": "2026-07-09T15:15:03Z",
            "sha256": "f9ea8fe37b0fd16cf29e1210dc00124d06e00814cb51298993d4aade97655e55",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/polygon-sdk

Package

Name
@wagni_bot/polygon-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/polygon-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.1.0
1.1.1
1.1.3
1.1.4
1.1.5
1.2.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f",
            "tlsh": "5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc",
            "path": "postinstall.js"
        },
        {
            "tlsh": "add05e204e505b33b8c81bed083b41aaa9f3491b501c692c57db2894874e37f98bb22e",
            "sha256": "26568f72760885937f432fc4348f8aa37497cee0c4eb3d0d109e8d342bb1fcb7",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "polygon-sdk-1.1.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-NLYDGe1Gh4dB48vE7Oaaee9h5FNKmwr7oMQ9w1rON9UQa7LvR0oZFRuEusCi2D98SVYobPTL3OiyUZwYuXbn0w==",
                "sha1": "d9f686bdd52602590d1e1ebf8481251cd2d79585"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/polygon-sdk/MAL-2026-10032.json"