@wagni_bot/orca-sdk @1.2.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10031
Ecosystem
npm
Summary
@wagni_bot/orca-sdk@1.0.0 ships a single file, postinstall.js, which is registered as the package main and as both the preinstall and postinstall lifecycle scripts. On npm install , this script executes automatically and (1) collects host identity (os.hostname(), os.userInfo(), process.cwd()) and beacons a 'postinstall_executed' heartbeat, (2) reads installer-owned secrets from well-known paths — ~/.ssh keys, ~/.aws/credentials, ~/.git-credentials, and the npm authToken from ~/.npmrc — and (3) recursively walks the user's home directory (up to 3 levels, skipping node_modules/Library/AppData/snap/cache) looking for crypto-wallet artifacts (id.json, wallet.json, keystore.json, mnemonic.txt, seed/recovery files, MetaMask/Phantom JSON, wallet.dat, etc.) and any.env /.env.local /.env.production file. All collected content is POSTed over plain HTTP to the hardcoded bare-IP endpoint http://107.161.90.180:7777. The package name imitates the widely used Orca (Solana DEX) SDK, and the wallet target list is oriented at Solana developers whose ~/.config/solana/id.json is directly harvested. No legitimate SDK functionality is present; the package's sole purpose is credential and wallet theft at install time.
Source: amazon-inspector (6fcc40768d3a7cdf73ca8664e00519e42639493a81144d6310af862b91816273)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.