npm

@wagni_bot/solana-sdk @1.2.0

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10035

Ecosystem

npm

Summary

Package @wagni_bot/solana-sdk impersonates a legitimate Solana SDK but contains no SDK functionality — main points at postinstall.js, which is a credential-harvesting payload that runs automatically on npm install via preinstall/postinstall hooks. On execution the script recursively walks the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet and secret files (id.json, wallet.json, keypair.json, MetaMask/Phantom extension storage in Chrome/Brave/Edge profiles,.env, seed.txt, mnemonic.txt), and reads SSH private keys (~/.ssh/id_*), AWS credentials (~/.aws/credentials), git credentials,.npmrc,.netrc, and Solana/Ethereum keystores. Collected file contents (up to 10KB each) are bundled with os.hostname(), os.userInfo().username, and cwd, then POSTed in cleartext to http://107.161.90.180:7777. The package name typosquats the Solana SDK ecosystem to lure developers into installing the harvester.

Source: amazon-inspector (e15edf4a83ab4894a29882072554e493c1673695d5e6aaa734672ba6da084112)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.