wallet-sdk-9 @3.7.73

Summary

On install (postinstall lifecycle hook) and on require of the main module, src/index.js scans the installer's home directory and current working directory for crypto wallet material (Solana id.json, Ethereum keystore, Bitcoin wallet.dat, Tron/Sui/Aptos wallets), SSH private keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519), and project secrets (.env, mnemonic.txt, seed.txt, private.key). Discovered files are uploaded to api.telegram.org using a hardcoded bot token and chat_id (bot 8227918239, chat 6433587894) via sendDocument. An isTestEnvironment() guard at src/index.js:10-26 suppresses execution in CI and sandboxed environments by checking CI/GITHUB_ACTIONS/JENKINS_HOME/NODE_ENV markers, Docker-style 12-hex hostnames, and runner/sandbox/docker usernames, ensuring the payload only fires on real developer machines. The package self-labels its exfiltration message as a 'CRYPTO STEALER' and ships no legitimate wallet SDK functionality despite its name; metadata is placeholder ('Utility library', empty README, generic author) consistent with a lure targeting developers searching for wallet SDKs.

Source: amazon-inspector (dd38e082e2657a6a3f8ffbab9bbad8dc1e1f2c460bb65546640f818d3077dad6)