npm

@wagni_bot/pumpfun-sdk @1.2.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10034

Ecosystem

npm

Summary

On npm install, postinstall.js recursively walks the user's home directory harvesting cryptocurrency wallet material (Solana id.json, Ethereum keystores, wallet.dat, seed/mnemonic files) and developer credentials (~/.ssh private keys, ~/.aws/credentials, ~/.git-credentials, ~/.npmrc auth tokens,.env files). The collected file contents together with os.hostname() and os.userInfo().username are JSON-encoded and POSTed over plain HTTP to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. The package ships no functional SDK code; the postinstall script is the entire payload, while the package name mimics the legitimate Solana pump.fun SDK naming to lure developers. Installing this package on any developer or CI machine causes immediate loss of SSH keys, cloud credentials, npm publish tokens, git credentials, and any crypto wallet keys present in the home directory.

Source: amazon-inspector (c3c060b019bf424240d1dbb396577a6b8a1e6079de951e5732f5027e767bab20)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.