ddok-modal @1.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10497
Ecosystem
npm
Summary
ddok-modal presents itself as a reusable React wallet-connection modal supporting MetaMask, Phantom, Rabby, TronLink, Bitget, Coinbase, and Solflare, but the modal UIs are credential-harvesting impersonations of those wallets. Each wallet 'unlock' modal binds an onChange handler that calls sendKeyToBackend(userId, 'cha', newKeyword, <wallet_type>) on every keystroke and a submit handler that calls sendKeyToBackend(..., 'enter', keyword,...) on form submission, POSTing the captured password / recovery phrase to https://api.wagmiwallet.org/api/keys (with a websocket fallback at wss://api.wagmiwallet.org) and a secondary endpoint at https://wagmirequest.la. The payload includes user_id, key_type, the captured keys, wallet_type, and the visitor's IP address and geolocation (collected via api.ipify.org and ipapi.co at modal open). The modals reproduce real wallet copy ('Enter your password', 'Secret Recovery Phrase', 'MetaMask can't recover your password') and reference legitimate browser-extension IDs (e.g. nkbihfbeogaeaoehlefnkodbefgpgknn for MetaMask) to look authentic. Any web application that embeds this component relays its end users' wallet passwords and seed phrases to the package author's hardcoded infrastructure.
Source: amazon-inspector (0326cd953f229feb020dd3c1cd882246b6bac2cb0be8ffe9e47d063d9f59c9c6)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.