VYPR

npm · Malicious package advisory

Malware

@wagni_bot/bsc-sdk

MAL-2026-10023

Malicious code in @wagni_bot/bsc-sdk (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (68707229cc80d6db8fe3b087a40601cdbd8b23bcda9a3030ede4e0ac85fe0cf8)
@wagni_bot/bsc-sdk@1.1.0 is a typosquat of BSC-SDK-family packages whose sole purpose is credential theft at install time. index.js exports an empty object; the package provides no advertised BNB Smart Chain functionality. The postinstall lifecycle script recursively scans the current working directory, the user's home directory, and ~/.ssh for files matching id_rsa, id_ed25519, *.pem, *.key, *.cred, and.env, and POSTs their contents to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. In parallel, it enumerates process.env for keys containing PRIVATE, SECRET, TOKEN, API_KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS and transmits the matching key=value pairs along with hostname, username, and cwd to the same endpoint. The destination is a plaintext HTTP bare IP on a non-standard port, consistent with throwaway stealer infrastructure. Every developer and CI runner that runs `npm install` on this package has their SSH private keys, PEM certificates, and credential-shaped environment variables shipped to the attacker.

Compromised versions (7)

  • 1.2.0
  • 1.1.3
  • 1.1.1
  • 1.1.4
  • 1.1.0
  • 1.1.5
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.