npm

@wagni_bot/polygon-sdk @1.2.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10032

Ecosystem

npm

Summary

The package's postinstall.js runs unconditionally on npm install and scans the installer's current working directory and home directory — including ~/.ssh, ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.bitcoin, and ~/Library/Ethereum — for wallet keystores, PEM/SSH private keys (id_rsa, id_ed25519,.pem,.key), and files matching seed/mnemonic/keystore/wallet/secret/private patterns. Matching file contents (truncated to 10000 bytes) plus a filtered subset of process.env (variables whose names contain PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS) are POSTed to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. Each request also carries os.hostname(), os.userInfo().username, and process.cwd() so the attacker can attribute the stolen secrets to a specific victim host. The advertised main (index.js) exports an empty object — the package has no legitimate functionality; the credential stealer is its only behavior. The name @wagni_bot/polygon-sdk with description 'Unofficial polygon-sdk SDK' impersonates the Polygon blockchain SDK ecosystem to attract crypto developers whose environments are especially likely to contain wallet keystores and seed phrases.

Source: amazon-inspector (f85b2cfd5c419bda02db4b760641cc2ff9c9214b2e17cf6689bb7936866944e7)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.