npm · Malicious package advisory
Malware@wagni_bot/jupiter-sdk
MAL-2026-10027
Malicious code in @wagni_bot/jupiter-sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (39a61b5c33c6e519d3754f8518272984d1bf3bc2045e4f288ad36ac837d0ecf0) @wagni_bot/jupiter-sdk 1.2.0 impersonates the Jupiter (Solana DEX) SDK namespace but ships no SDK functionality. package.json wires both preinstall and postinstall to postinstall.js, which fires automatically on npm install. postinstall.js walks the installer's home directory and common locations (Desktop, Documents, Downloads, /root, /tmp) collecting: Solana/Ethereum wallet material (id.json, wallet.json, keypair.json, keystore files, ~/.config/solana/id.json), MetaMask/Phantom browser-extension state from Chrome/Brave/Edge profiles, seed-phrase and mnemonic.txt/.md/.rtf/.csv files identified by keyword lists and BIP39 wordlist matching (>=10 hits), and standard credential paths (.env,.npmrc,.git-credentials,.netrc, ~/.aws/credentials, ~/.ssh/id_* private keys). Collected file contents (up to 5000 bytes per match) plus host identity (os.hostname(), os.userInfo(), os.homedir()) are POSTed to hardcoded C2 at http://107.161.90.180:7777. Package has empty description, no README, and no legitimate code — it is a pure stealer using a typosquat-of-namespace lure against Solana developers.
Compromised versions (2)
- 1.2.0
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.