-= Per source details. Do not edit below this line.=-
@wagnibot/polymarket-sdk@1.1.3 is a credential-stealing package disguised as a Polymarket SDK. index.js exports an empty object; the package ships no advertised functionality. On npm install, scripts.postinstall triggers postinstall.js, which: (1) walks the current working directory, the user's home directory, and common crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching keystore/wallet/seed/mnemonic/private/.pem/.key patterns, regex-matches Ethereum private keys, BTC WIF keys, and BIP39 mnemonics, and POSTs matches to a hardcoded bare-IP endpoint; (2) reads every file in ~/.ssh (excluding knownhosts, authorizedkeys, and.pub files), harvesting idrsa/id_ed25519 private keys, and POSTs each to the same endpoint; (3) enumerates process.env, filters for keys containing PRIVATE/SECRET/TOKEN/KEY/PASSWORD/MNEMONIC/SEED/WALLET/AWS, and exfiltrates name=value pairs together with hostname, username, and cwd. All traffic is sent over plain HTTP to http://107.161.90.180:7777. The package name impersonates a legitimate Polymarket SDK to attract developers likely to have crypto keys on disk.
{
"malicious-packages-origins": [
{
"sha256": "00ff40156e9b9ed5217299ae05d692fef75a24e5a2870b9e165166754c7df3bf",
"id": "IN-MAL-2026-009082",
"import_time": "2026-07-09T16:20:39.108031402Z",
"versions": [
"1.1.5"
],
"modified_time": "2026-07-09T15:25:30Z",
"source": "amazon-inspector"
},
{
"versions": [
"1.1.1"
],
"id": "IN-MAL-2026-009064",
"import_time": "2026-07-09T16:20:37.602587472Z",
"modified_time": "2026-07-09T15:22:33Z",
"sha256": "88763b94ea857523036af8f3f4bbc7861378dc6ca961f3738435e77ee80576c0",
"source": "amazon-inspector"
},
{
"sha256": "c939d03cb15cd37cd1e4f87e913daefd7407245c771ed23bf12a712cad2c5495",
"id": "IN-MAL-2026-009035",
"modified_time": "2026-07-09T15:17:59Z",
"versions": [
"1.1.3"
],
"import_time": "2026-07-09T16:20:34.629095579Z",
"source": "amazon-inspector"
},
{
"sha256": "e23d97deed586e49260f3bc22da6bbe767b9e9fa31baa6d7bef52c889762f309",
"id": "IN-MAL-2026-009075",
"import_time": "2026-07-09T16:20:38.622439325Z",
"modified_time": "2026-07-09T15:24:25Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector"
},
{
"versions": [
"1.1.4"
],
"id": "IN-MAL-2026-009037",
"import_time": "2026-07-09T16:20:34.990822311Z",
"modified_time": "2026-07-09T15:18:16Z",
"sha256": "1635405e118e677f9fb564c9dc43a0bc66da70dd81752bb059e90414506e3ac7",
"source": "amazon-inspector"
},
{
"versions": [
"1.1.0"
],
"id": "IN-MAL-2026-009071",
"import_time": "2026-07-09T16:20:38.151858142Z",
"modified_time": "2026-07-09T15:23:45Z",
"sha256": "17116c251543c98ca4c496dc6f9022df020c590561f9dd7c221b965ea90bb946",
"source": "amazon-inspector"
},
{
"sha256": "236c5163ce694ba99be29c7e4b17f70ce4488e437c08115ff66d7477527ec00f",
"id": "IN-MAL-2026-009030",
"import_time": "2026-07-09T16:20:33.856785927Z",
"versions": [
"1.2.0"
],
"modified_time": "2026-07-09T15:17:11Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f",
"tlsh": "5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc",
"path": "postinstall.js"
}
],
"package_integrity": [
{
"filename": "polymarket-sdk-1.1.5.tgz",
"hashes": {
"sha512_sri": "sha512-eWdNDOj7rQjIsSgXAR1nlP2VtXoP/0kG160PMWkaP0DlfS2dA7McIR/I4ZJ4yhToWWp71KSs2XRZu5fdN2yWHw==",
"sha1": "7e7293d4d61a85aeca67f6f232afa43ea268446a"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/polymarket-sdk/MAL-2026-10033.json"