MAL-2026-10033

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/polymarket-sdk/MAL-2026-10033.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10033
Published
2026-07-09T15:17:11Z
Modified
2026-07-09T16:31:51.045074443Z
Summary
Malicious code in @wagni_bot/polymarket-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c939d03cb15cd37cd1e4f87e913daefd7407245c771ed23bf12a712cad2c5495)

@wagnibot/polymarket-sdk@1.1.3 is a credential-stealing package disguised as a Polymarket SDK. index.js exports an empty object; the package ships no advertised functionality. On npm install, scripts.postinstall triggers postinstall.js, which: (1) walks the current working directory, the user's home directory, and common crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching keystore/wallet/seed/mnemonic/private/.pem/.key patterns, regex-matches Ethereum private keys, BTC WIF keys, and BIP39 mnemonics, and POSTs matches to a hardcoded bare-IP endpoint; (2) reads every file in ~/.ssh (excluding knownhosts, authorizedkeys, and.pub files), harvesting idrsa/id_ed25519 private keys, and POSTs each to the same endpoint; (3) enumerates process.env, filters for keys containing PRIVATE/SECRET/TOKEN/KEY/PASSWORD/MNEMONIC/SEED/WALLET/AWS, and exfiltrates name=value pairs together with hostname, username, and cwd. All traffic is sent over plain HTTP to http://107.161.90.180:7777. The package name impersonates a legitimate Polymarket SDK to attract developers likely to have crypto keys on disk.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "00ff40156e9b9ed5217299ae05d692fef75a24e5a2870b9e165166754c7df3bf",
            "id": "IN-MAL-2026-009082",
            "import_time": "2026-07-09T16:20:39.108031402Z",
            "versions": [
                "1.1.5"
            ],
            "modified_time": "2026-07-09T15:25:30Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.1"
            ],
            "id": "IN-MAL-2026-009064",
            "import_time": "2026-07-09T16:20:37.602587472Z",
            "modified_time": "2026-07-09T15:22:33Z",
            "sha256": "88763b94ea857523036af8f3f4bbc7861378dc6ca961f3738435e77ee80576c0",
            "source": "amazon-inspector"
        },
        {
            "sha256": "c939d03cb15cd37cd1e4f87e913daefd7407245c771ed23bf12a712cad2c5495",
            "id": "IN-MAL-2026-009035",
            "modified_time": "2026-07-09T15:17:59Z",
            "versions": [
                "1.1.3"
            ],
            "import_time": "2026-07-09T16:20:34.629095579Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "e23d97deed586e49260f3bc22da6bbe767b9e9fa31baa6d7bef52c889762f309",
            "id": "IN-MAL-2026-009075",
            "import_time": "2026-07-09T16:20:38.622439325Z",
            "modified_time": "2026-07-09T15:24:25Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.4"
            ],
            "id": "IN-MAL-2026-009037",
            "import_time": "2026-07-09T16:20:34.990822311Z",
            "modified_time": "2026-07-09T15:18:16Z",
            "sha256": "1635405e118e677f9fb564c9dc43a0bc66da70dd81752bb059e90414506e3ac7",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.0"
            ],
            "id": "IN-MAL-2026-009071",
            "import_time": "2026-07-09T16:20:38.151858142Z",
            "modified_time": "2026-07-09T15:23:45Z",
            "sha256": "17116c251543c98ca4c496dc6f9022df020c590561f9dd7c221b965ea90bb946",
            "source": "amazon-inspector"
        },
        {
            "sha256": "236c5163ce694ba99be29c7e4b17f70ce4488e437c08115ff66d7477527ec00f",
            "id": "IN-MAL-2026-009030",
            "import_time": "2026-07-09T16:20:33.856785927Z",
            "versions": [
                "1.2.0"
            ],
            "modified_time": "2026-07-09T15:17:11Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/polymarket-sdk

Package

Name
@wagni_bot/polymarket-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/polymarket-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.1.0
1.1.1
1.1.3
1.1.4
1.1.5
1.2.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f",
            "tlsh": "5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc",
            "path": "postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "polymarket-sdk-1.1.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-eWdNDOj7rQjIsSgXAR1nlP2VtXoP/0kG160PMWkaP0DlfS2dA7McIR/I4ZJ4yhToWWp71KSs2XRZu5fdN2yWHw==",
                "sha1": "7e7293d4d61a85aeca67f6f232afa43ea268446a"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/polymarket-sdk/MAL-2026-10033.json"