MAL-2026-10037

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/web3-toolkit/MAL-2026-10037.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10037
Published
2026-07-09T15:14:27Z
Modified
2026-07-09T16:31:51.542804706Z
Summary
Malicious code in @wagni_bot/web3-toolkit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0a07053ee42572578f0fbeab5c9c8551fd2937f1126bc9c71c37546dfdf19edd)

The package installs a postinstall.js payload wired to both preinstall and postinstall lifecycle hooks (and to main), so it runs automatically on npm install. On execution it walks the user's home directory and OS-specific paths and reads files matching wallet, keystore, seed, mnemonic, and credential patterns — including.env, ~/.npmrc, ~/.aws/credentials, ~/.ssh/id_*, ~/.git-credentials, ~/.netrc, Solana id.json/keypair.json, Ethereum keystores, and browser wallet extension storage for MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn), Phantom, and similar extensions. It also scans.txt/.md/.rtf/.csv files across Desktop, Documents, and Downloads (including localized directory names), matches contents against an embedded BIP-39 wordlist to detect seed-phrase backups, and POSTs matching file contents plus host/user identifiers (os.hostname(), os.userInfo(), os.homedir()) over plain HTTP to a hardcoded remote endpoint at http://107.161.90.180:7777. The package.json description is empty and the package ships no legitimate functionality; the web3-themed scoped name is a lure targeting crypto developers.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "0a07053ee42572578f0fbeab5c9c8551fd2937f1126bc9c71c37546dfdf19edd",
            "id": "IN-MAL-2026-009013",
            "import_time": "2026-07-09T16:20:32.665526837Z",
            "modified_time": "2026-07-09T15:14:27Z",
            "versions": [
                "1.2.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "888085b6329d0b35602e7d50bedb0175cdb43dc35b2581b80a7ca5fccc7b7dee",
            "id": "IN-MAL-2026-009027",
            "modified_time": "2026-07-09T15:16:36Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-07-09T16:20:33.667248098Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @wagni_bot/web3-toolkit

Package

Name
@wagni_bot/web3-toolkit
View open source insights on deps.dev
Purl
pkg:npm/%40wagni_bot/web3-toolkit

Affected ranges

Affected versions

1.*
1.0.0
1.2.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "web3-toolkit-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-s8lSeq79K/bmTdruXzFihN/E3vXmKaxz1N7HeifXalx45DSwOBD6PbIq3zDgbJwnwJ3JGTYwIabQm3bOCsTRYQ==",
                "sha1": "0a1a57ea524fac883c113157f3b4e95dd9849145"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "6712d9c576be111d1427d2bbfa2b0202356eae8a260dd995fcce09002f583945bd7bfc",
            "sha256": "6c9c16897e74d441ac24472d86e97fac219c2fc56f14408ef406b2883df03654",
            "path": "postinstall.js"
        },
        {
            "tlsh": "53d05e204d515b3378c81bec0827416baef3490f1008292817db2994434e67b947b62f",
            "sha256": "d88d3942aa56e24c3603568ea6c1f6498e09eaa43f9c88d94bb514ac164e0135",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wagni_bot/web3-toolkit/MAL-2026-10037.json"