@wagni_bot/opensea-sdk @1.2.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10030
Ecosystem
npm
Summary
Package impersonates the OpenSea SDK namespace (name @wagni_bot/opensea-sdk, description "Unofficial opensea-sdk SDK") but ships no SDK functionality — its purpose is the postinstall.js dropper that runs automatically on npm install. postinstall.js walks the installer's home directory and crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching wallet/keystore/seed/mnemonic/private/pem/id_rsa patterns; greps file contents for Ethereum/Bitcoin private-key and BIP39 seed-phrase shapes; reads every file under ~/.ssh (excluding known_hosts and *.pub); and filters process.env for names containing PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS. Each hit is POSTed together with os.hostname(), os.userInfo().username, and process.cwd() (plus up to 10KB of matched file content) via plain HTTP to the hardcoded bare-IP endpoint http://107.161.90.180:7777. Installing this package on a developer machine hands over SSH private keys, crypto wallet keystores/seed phrases, and secret environment variables to the operator of that endpoint.
Source: amazon-inspector (180731324517ae6b27ea40b119dba8f0ab1080a6662ea947f86e8c0de545b0cd)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.