MAL-2026-10034

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/pumpfun-sdk/MAL-2026-10034.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10034
Published
2026-07-09T15:18:25Z
Modified
2026-07-09T16:31:51.135578571Z
Summary
Malicious code in @wagni_bot/pumpfun-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c3c060b019bf424240d1dbb396577a6b8a1e6079de951e5732f5027e767bab20)

On npm install, postinstall.js recursively walks the user's home directory harvesting cryptocurrency wallet material (Solana id.json, Ethereum keystores, wallet.dat, seed/mnemonic files) and developer credentials (~/.ssh private keys, ~/.aws/credentials, ~/.git-credentials, ~/.npmrc auth tokens,.env files). The collected file contents together with os.hostname() and os.userInfo().username are JSON-encoded and POSTed over plain HTTP to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. The package ships no functional SDK code; the postinstall script is the entire payload, while the package name mimics the legitimate Solana pump.fun SDK naming to lure developers. Installing this package on any developer or CI machine causes immediate loss of SSH keys, cloud credentials, npm publish tokens, git credentials, and any crypto wallet keys present in the home directory.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "4de202cbfc85ad5e2bd273362095b18d2d1b79337c4cb8a4adedbcc850853168",
            "id": "IN-MAL-2026-009038",
            "import_time": "2026-07-09T16:20:35.070495173Z",
            "modified_time": "2026-07-09T15:18:25Z",
            "versions": [
                "1.2.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "c3c060b019bf424240d1dbb396577a6b8a1e6079de951e5732f5027e767bab20",
            "id": "IN-MAL-2026-009047",
            "import_time": "2026-07-09T16:20:36.272454627Z",
            "modified_time": "2026-07-09T15:19:56Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/pumpfun-sdk

Package

Name
@wagni_bot/pumpfun-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/pumpfun-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.2.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "pumpfun-sdk-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-FNG/JM9ry83i7neh77VaVoiASIaAyH/fuflCErqpuxtNPuH105i0OQj+jK9yNfxv7Ssb6bnF+uxSS61rvbPyrQ==",
                "sha1": "881b66fabbea39a8708d8e8aeb88cb7a9974fc38"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc",
            "sha256": "6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654",
            "path": "postinstall.js"
        },
        {
            "sha256": "0c17c07b8b9b4169fe462bc08939e7088144a21523384cf96e4b99cc9430dfd9",
            "tlsh": "eed05e204e505b3378c91bec0827416aa9f3591b1118692857df2894470e27b947b62f",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/pumpfun-sdk/MAL-2026-10034.json"