-= Per source details. Do not edit below this line.=-
On npm install, postinstall.js recursively walks the user's home directory harvesting cryptocurrency wallet material (Solana id.json, Ethereum keystores, wallet.dat, seed/mnemonic files) and developer credentials (~/.ssh private keys, ~/.aws/credentials, ~/.git-credentials, ~/.npmrc auth tokens,.env files). The collected file contents together with os.hostname() and os.userInfo().username are JSON-encoded and POSTed over plain HTTP to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. The package ships no functional SDK code; the postinstall script is the entire payload, while the package name mimics the legitimate Solana pump.fun SDK naming to lure developers. Installing this package on any developer or CI machine causes immediate loss of SSH keys, cloud credentials, npm publish tokens, git credentials, and any crypto wallet keys present in the home directory.
{
"malicious-packages-origins": [
{
"sha256": "4de202cbfc85ad5e2bd273362095b18d2d1b79337c4cb8a4adedbcc850853168",
"id": "IN-MAL-2026-009038",
"import_time": "2026-07-09T16:20:35.070495173Z",
"modified_time": "2026-07-09T15:18:25Z",
"versions": [
"1.2.0"
],
"source": "amazon-inspector"
},
{
"sha256": "c3c060b019bf424240d1dbb396577a6b8a1e6079de951e5732f5027e767bab20",
"id": "IN-MAL-2026-009047",
"import_time": "2026-07-09T16:20:36.272454627Z",
"modified_time": "2026-07-09T15:19:56Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "pumpfun-sdk-1.2.0.tgz",
"hashes": {
"sha512_sri": "sha512-FNG/JM9ry83i7neh77VaVoiASIaAyH/fuflCErqpuxtNPuH105i0OQj+jK9yNfxv7Ssb6bnF+uxSS61rvbPyrQ==",
"sha1": "881b66fabbea39a8708d8e8aeb88cb7a9974fc38"
}
}
],
"evidence_files": [
{
"tlsh": "6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc",
"sha256": "6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654",
"path": "postinstall.js"
},
{
"sha256": "0c17c07b8b9b4169fe462bc08939e7088144a21523384cf96e4b99cc9430dfd9",
"tlsh": "eed05e204e505b3378c91bec0827416aa9f3591b1118692857df2894470e27b947b62f",
"path": "package.json"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/pumpfun-sdk/MAL-2026-10034.json"