@wagni_bot/polymarket-sdk @1.2.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10033
Ecosystem
npm
Summary
@wagni_bot/polymarket-sdk@1.1.3 is a credential-stealing package disguised as a Polymarket SDK. index.js exports an empty object; the package ships no advertised functionality. On npm install , scripts.postinstall triggers postinstall.js, which: (1) walks the current working directory, the user's home directory, and common crypto-wallet paths (.ethereum,.solana,.bitcoin, Library/Ethereum) for files matching keystore/wallet/seed/mnemonic/private/.pem/.key patterns, regex-matches Ethereum private keys, BTC WIF keys, and BIP39 mnemonics, and POSTs matches to a hardcoded bare-IP endpoint; (2) reads every file in ~/.ssh (excluding known_hosts, authorized_keys, and.pub files), harvesting id_rsa/id_ed25519 private keys, and POSTs each to the same endpoint; (3) enumerates process.env, filters for keys containing PRIVATE/SECRET/TOKEN/KEY/PASSWORD/MNEMONIC/SEED/WALLET/AWS, and exfiltrates name=value pairs together with hostname, username, and cwd. All traffic is sent over plain HTTP to http://107.161.90.180:7777. The package name impersonates a legitimate Polymarket SDK to attract developers likely to have crypto keys on disk.
Source: amazon-inspector (c939d03cb15cd37cd1e4f87e913daefd7407245c771ed23bf12a712cad2c5495)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.