MAL-2026-5360

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wallet-sdk-9/MAL-2026-5360.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5360
Published
2026-06-09T07:55:37Z
Modified
2026-06-11T02:31:31.918154383Z
Summary
Malicious code in wallet-sdk-9 (npm)
Details

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+). postinstall auto-execs, src/index.js harvests ~/.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated). Campaign now uses inflated version (3.7.73) not 1.0.0.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (dd38e082e2657a6a3f8ffbab9bbad8dc1e1f2c460bb65546640f818d3077dad6)

On install (postinstall lifecycle hook) and on require of the main module, src/index.js scans the installer's home directory and current working directory for crypto wallet material (Solana id.json, Ethereum keystore, Bitcoin wallet.dat, Tron/Sui/Aptos wallets), SSH private keys (~/.ssh/idrsa, ~/.ssh/ided25519), and project secrets (.env, mnemonic.txt, seed.txt, private.key). Discovered files are uploaded to api.telegram.org using a hardcoded bot token and chatid (bot 8227918239, chat 6433587894) via sendDocument. An isTestEnvironment() guard at src/index.js:10-26 suppresses execution in CI and sandboxed environments by checking CI/GITHUBACTIONS/JENKINSHOME/NODEENV markers, Docker-style 12-hex hostnames, and runner/sandbox/docker usernames, ensuring the payload only fires on real developer machines. The package self-labels its exfiltration message as a 'CRYPTO STEALER' and ships no legitimate wallet SDK functionality despite its name; metadata is placeholder ('Utility library', empty README, generic author) consistent with a lure targeting developers searching for wallet SDKs.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.7.73"
            ],
            "sha256": "dd38e082e2657a6a3f8ffbab9bbad8dc1e1f2c460bb65546640f818d3077dad6",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T01:39:26Z",
            "import_time": "2026-06-11T02:24:27.036385046Z",
            "id": "IN-MAL-2026-005350"
        }
    ]
}
References
Credits

Affected packages

npm / wallet-sdk-9

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.7.73

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "wallet-sdk-9-3.7.73.tgz",
            "hashes": {
                "sha512_sri": "sha512-HP7AP26QIeWqXeHQy4yZRe6Av+QkqNJjqOskFU+g9SJAoRiAbCmbU76aU6g7Kntgu99IPGrIWhaR3u3BLKH8Jw==",
                "sha1": "1d3d22b8c4f5d212c6a214a90713a079abe538ab"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "ef4459281c64f1fe8923d703d416f04080ff1a2b7b385366f46d7cdb25731502",
            "path": "src/index.js",
            "tlsh": "30b121f41ef677148193e3a9624f60015436e1473c06ed65769c87c8af88a6ca6f2efc"
        },
        {
            "sha256": "d115c5a849563cd963caffa5369a752ec5f8b2a0c23adde567fd921aea498e21",
            "path": "package.json",
            "tlsh": "21d0a7204f20973374c4475b0826914a69b20d1a0044bc1817e31248838d3b648bb21e"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wallet-sdk-9/MAL-2026-5360.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]