-= Per source details. Do not edit below this line.=-
Package @wagnibot/solana-sdk impersonates a legitimate Solana SDK but contains no SDK functionality — main points at postinstall.js, which is a credential-harvesting payload that runs automatically on npm install via preinstall/postinstall hooks. On execution the script recursively walks the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet and secret files (id.json, wallet.json, keypair.json, MetaMask/Phantom extension storage in Chrome/Brave/Edge profiles,.env, seed.txt, mnemonic.txt), and reads SSH private keys (~/.ssh/id*), AWS credentials (~/.aws/credentials), git credentials,.npmrc,.netrc, and Solana/Ethereum keystores. Collected file contents (up to 10KB each) are bundled with os.hostname(), os.userInfo().username, and cwd, then POSTed in cleartext to http://107.161.90.180:7777. The package name typosquats the Solana SDK ecosystem to lure developers into installing the harvester.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-009048",
"import_time": "2026-07-09T16:20:36.326758107Z",
"modified_time": "2026-07-09T15:20:05Z",
"sha256": "a2007f27f9956a58b77a5e6bc010944f866ea375a9e76ef8d080979721e51eba",
"source": "amazon-inspector"
},
{
"sha256": "e15edf4a83ab4894a29882072554e493c1673695d5e6aaa734672ba6da084112",
"id": "IN-MAL-2026-009019",
"modified_time": "2026-07-09T15:15:23Z",
"versions": [
"1.2.0"
],
"import_time": "2026-07-09T16:20:33.064753249Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "3d8a59e627a451040c959870dace8fb417d1f9c55c6e2d2190637289212f8b3f",
"tlsh": "5c8155c4b1fa520958a341eefa5b220210717d573848e4a9fedc9f456f56240af53bfc",
"path": "postinstall.js"
},
{
"tlsh": "2ed05e204e505f33b8c81bed0937416aa9f3490b1118292c17df3894874e67b98bb72e",
"sha256": "65b1b0321120ad8458ec9801342ac23930095173d05dac4b2f6498c3db374264",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "solana-sdk-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-IsekbLfEF9WDOmQii3NuSZDu8pne4VsOXWN1VKQsUc2Gy9Yif4MPjIVSoR6OD4a5s/Fi7ZXI9tw2CBSdopksjQ==",
"sha1": "a2da22179b6feee14f73568c3e9008f3ed94a853"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/solana-sdk/MAL-2026-10035.json"