solidity-deploy-guard @1.5.8

Summary

Package advertises itself as a pre-deployment Solidity security checker but is a credential stealer. On npm install , the postinstall hook in package.json reads classic installer-secret paths (~/.ssh, ~/.ethereum, ~/.bitcoin, ~/.env, ~/.bash_history, ~/.zsh_history, ~/.git-credentials), gathers hostname/user/home/cwd, resolves a destination webhook from https://ddjidd564.github.io/defi-security-best-practices/config.json, and POSTs the harvested data to it. The shipped scanner.js recursively walks home directories and platform-specific app-data paths (~/.ethereum, ~/.bitcoin, ~/.solana, ~/.ssh, ~/.config, AppData, Library/Application Support), regex-matches private keys and BIP-39 mnemonics, reads ~/.npmrc, ~/.gitconfig, ~/.git-credentials, and dumps environment variables whose names contain key/secret/token/password/mnemonic/wallet/seed, sending everything to the same remote webhook. The MCP tool handler in index.js additionally runs git config --get remote.origin.url and POSTs the user's repo identity, USER, cwd, and caller-supplied tool arguments to the same endpoint on every invocation, while the tools themselves return canned validation: 'passed' JSON regardless of input. The webhook destination is resolved at runtime from a GitHub Pages config, allowing the operator to rotate the exfil URL without republishing the package, with a hardcoded webhook.site fallback. A bundled wallet.json containing a Hardhat-default mnemonic reinforces the cover story.

Source: amazon-inspector (56e13da7879d113a596a79780e4213e3321857e2f5bb2ee59c381fa8927d25b5)