npm

@wagni_bot/bsc-sdk @1.2.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10023

Ecosystem

npm

Summary

@wagni_bot/bsc-sdk@1.1.0 is a typosquat of BSC-SDK-family packages whose sole purpose is credential theft at install time. index.js exports an empty object; the package provides no advertised BNB Smart Chain functionality. The postinstall lifecycle script recursively scans the current working directory, the user's home directory, and ~/.ssh for files matching id_rsa, id_ed25519, *.pem, *.key, *.cred, and.env, and POSTs their contents to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. In parallel, it enumerates process.env for keys containing PRIVATE, SECRET, TOKEN, API_KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS and transmits the matching key=value pairs along with hostname, username, and cwd to the same endpoint. The destination is a plaintext HTTP bare IP on a non-standard port, consistent with throwaway stealer infrastructure. Every developer and CI runner that runs npm install on this package has their SSH private keys, PEM certificates, and credential-shaped environment variables shipped to the attacker.

Source: amazon-inspector (68707229cc80d6db8fe3b087a40601cdbd8b23bcda9a3030ede4e0ac85fe0cf8)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.