MAL-2026-10036

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/web3-agent/MAL-2026-10036.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10036
Published
2026-07-09T15:14:46Z
Modified
2026-07-09T16:31:51.399328067Z
Summary
Malicious code in @wagni_bot/web3-agent (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8c0a6ae1834b7a2ba134544c33f4f3a26457a5e1ea9858a3d6c22f64bbf17c57)

On npm install, postinstall.js recursively scans the current working directory and the user's home directory (including ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.config/solana, ~/.bitcoin, ~/Library/Ethereum) for files matching wallet/key patterns (.pem,.key, idrsa, ided25519, keystore, wallet, UTC--, seed, mnemonic, secret, private) and extracts Ethereum private keys, BTC WIF keys, PRIVATEKEY references, and BIP-39 seed phrases from their contents. It also enumerates ~/.ssh and reads every file other than knownhosts/authorized_keys/*.pub (i.e., private SSH keys and ssh config), and filters process.env for keys containing PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS. The collected material, along with hostname, username, and cwd, is POSTed to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. The package's index.js exports an empty object (module.exports = {}) and the package.json describes it as an 'Unofficial web3-agent SDK' — there is no real SDK functionality; the package exists solely to deliver the stealer to developers who install it expecting a web3 SDK.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.1.4"
            ],
            "id": "IN-MAL-2026-009050",
            "import_time": "2026-07-09T16:20:36.482313116Z",
            "modified_time": "2026-07-09T15:20:22Z",
            "sha256": "26cc66878a6bb36f83cf7dc19b02aa96f7b85f001de67b00871917c510aaeffd",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.1.0"
            ],
            "id": "IN-MAL-2026-009068",
            "import_time": "2026-07-09T16:20:37.935096886Z",
            "modified_time": "2026-07-09T15:23:18Z",
            "sha256": "59393c532a4a1c63df9b9571788912cfd789c3651a95e8543581ac1663b5796c",
            "source": "amazon-inspector"
        },
        {
            "sha256": "8c0a6ae1834b7a2ba134544c33f4f3a26457a5e1ea9858a3d6c22f64bbf17c57",
            "id": "IN-MAL-2026-009015",
            "import_time": "2026-07-09T16:20:32.811078929Z",
            "modified_time": "2026-07-09T15:14:46Z",
            "versions": [
                "1.1.3"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "b6e73e8702070365af135dd11215e41eba28de19486c4ced15db4d6730cd29fa",
            "id": "IN-MAL-2026-009022",
            "import_time": "2026-07-09T16:20:33.241161168Z",
            "modified_time": "2026-07-09T15:15:49Z",
            "versions": [
                "1.1.5"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "d7900a3d68ca9b3ee55910b6e99e0bc6efb57a1f95b7324dad00651d0755467b",
            "id": "IN-MAL-2026-009076",
            "import_time": "2026-07-09T16:20:38.694513635Z",
            "modified_time": "2026-07-09T15:24:34Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "d8a0b7ae7e4ea38fffe7f852ffda542e4597c322b98a85664abbbfa2e7734e63",
            "id": "IN-MAL-2026-009040",
            "import_time": "2026-07-09T16:20:35.654900634Z",
            "modified_time": "2026-07-09T15:18:46Z",
            "versions": [
                "1.1.1"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/web3-agent

Package

Name
@wagni_bot/web3-agent
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/web3-agent

Affected ranges

Affected versions

1.*
1.0.0
1.1.0
1.1.1
1.1.3
1.1.4
1.1.5

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "b55d033037a98304f47cfeb5823c0ed03f93e4cc007add0db701075cd6230d3b",
            "tlsh": "8151daa1f09d005d07eb3ef1169f31159e9f550a3a00d4f7778c4e82af4aac41e67929",
            "path": "postinstall.js"
        },
        {
            "sha256": "c4cc055b7b6083d611efff23997332028b5bd3577fb9f3734b9736a13b581435",
            "tlsh": "c4c08c210b21a7352aa00be43c93cc8c8ae642200005990418cb09b8c2523ee882e013",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "web3-agent-1.1.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-WHCeGMmzq9uUj212Cxi9FNS+u6y9Fryeydqn88LBbQBcwNc2gWmO6MoDNJp4MEAALsCFW2IskSUr5PkRZ5ZpLQ==",
                "sha1": "7114523d1c5014b6bde258bf87159215728d6642"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/web3-agent/MAL-2026-10036.json"