MAL-2026-10035

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/solana-sdk/MAL-2026-10035.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10035
Published
2026-07-09T15:15:23Z
Modified
2026-07-09T16:31:51.305081077Z
Summary
Malicious code in @wagni_bot/solana-sdk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e15edf4a83ab4894a29882072554e493c1673695d5e6aaa734672ba6da084112)

Package @wagnibot/solana-sdk impersonates a legitimate Solana SDK but contains no SDK functionality — main points at postinstall.js, which is a credential-harvesting payload that runs automatically on npm install via preinstall/postinstall hooks. On execution the script recursively walks the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet and secret files (id.json, wallet.json, keypair.json, MetaMask/Phantom extension storage in Chrome/Brave/Edge profiles,.env, seed.txt, mnemonic.txt), and reads SSH private keys (~/.ssh/id*), AWS credentials (~/.aws/credentials), git credentials,.npmrc,.netrc, and Solana/Ethereum keystores. Collected file contents (up to 10KB each) are bundled with os.hostname(), os.userInfo().username, and cwd, then POSTed in cleartext to http://107.161.90.180:7777. The package name typosquats the Solana SDK ecosystem to lure developers into installing the harvester.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-009048",
            "import_time": "2026-07-09T16:20:36.326758107Z",
            "modified_time": "2026-07-09T15:20:05Z",
            "sha256": "a2007f27f9956a58b77a5e6bc010944f866ea375a9e76ef8d080979721e51eba",
            "source": "amazon-inspector"
        },
        {
            "sha256": "e15edf4a83ab4894a29882072554e493c1673695d5e6aaa734672ba6da084112",
            "id": "IN-MAL-2026-009019",
            "modified_time": "2026-07-09T15:15:23Z",
            "versions": [
                "1.2.0"
            ],
            "import_time": "2026-07-09T16:20:33.064753249Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/solana-sdk

Package

Name
@wagni_bot/solana-sdk
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/solana-sdk

Affected ranges

Affected versions

1.*
1.0.0
1.2.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f",
            "tlsh": "5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc",
            "path": "postinstall.js"
        },
        {
            "tlsh": "2ed05e204e505f33b8c81bed0937416aa9f3490b1118292c17df3894874e67b98bb72e",
            "sha256": "65b1b0321120ad8458ec9801342ac23930095173d05dac4b2f6498c3db374264",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "solana-sdk-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-IsekbLfEF9WDOmQii3NuSZDu8pne4VsOXWN1VKQsUc2Gy9Yif4MPjIVSoR6OD4a5s/Fi7ZXI9tw2CBSdopksjQ==",
                "sha1": "a2da22179b6feee14f73568c3e9008f3ed94a853"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/solana-sdk/MAL-2026-10035.json"