Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+). postinstall auto-execs, src/index.js harvests ~/.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated). Campaign now uses inflated version (3.7.73) not 1.0.0.
-= Per source details. Do not edit below this line.=-
On install (postinstall lifecycle hook) and on require of the main module, src/index.js scans the installer's home directory and current working directory for crypto wallet material (Solana id.json, Ethereum keystore, Bitcoin wallet.dat, Tron/Sui/Aptos wallets), SSH private keys (~/.ssh/idrsa, ~/.ssh/ided25519), and project secrets (.env, mnemonic.txt, seed.txt, private.key). Discovered files are uploaded to api.telegram.org using a hardcoded bot token and chatid (bot 8227918239, chat 6433587894) via sendDocument. An isTestEnvironment() guard at src/index.js:10-26 suppresses execution in CI and sandboxed environments by checking CI/GITHUBACTIONS/JENKINSHOME/NODEENV markers, Docker-style 12-hex hostnames, and runner/sandbox/docker usernames, ensuring the payload only fires on real developer machines. The package self-labels its exfiltration message as a 'CRYPTO STEALER' and ships no legitimate wallet SDK functionality despite its name; metadata is placeholder ('Utility library', empty README, generic author) consistent with a lure targeting developers searching for wallet SDKs.
{
"malicious-packages-origins": [
{
"versions": [
"3.7.73"
],
"sha256": "dd38e082e2657a6a3f8ffbab9bbad8dc1e1f2c460bb65546640f818d3077dad6",
"source": "amazon-inspector",
"modified_time": "2026-06-11T01:39:26Z",
"import_time": "2026-06-11T02:24:27.036385046Z",
"id": "IN-MAL-2026-005350"
}
]
}{
"package_integrity": [
{
"filename": "wallet-sdk-9-3.7.73.tgz",
"hashes": {
"sha512_sri": "sha512-HP7AP26QIeWqXeHQy4yZRe6Av+QkqNJjqOskFU+g9SJAoRiAbCmbU76aU6g7Kntgu99IPGrIWhaR3u3BLKH8Jw==",
"sha1": "1d3d22b8c4f5d212c6a214a90713a079abe538ab"
}
}
],
"evidence_files": [
{
"sha256": "ef4459281c64f1fe8923d703d416f04080ff1a2b7b385366f46d7cdb25731502",
"path": "src/index.js",
"tlsh": "30b121f41ef677148193e3a9624f60015436e1473c06ed65769c87c8af88a6ca6f2efc"
},
{
"sha256": "d115c5a849563cd963caffa5369a752ec5f8b2a0c23adde567fd921aea498e21",
"path": "package.json",
"tlsh": "21d0a7204f20973374c4475b0826914a69b20d1a0044bc1817e31248838d3b648bb21e"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wallet-sdk-9/MAL-2026-5360.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]