VYPR

npm · Malicious package advisory

Malware

@wagni_bot/solana-sdk

MAL-2026-10035

Malicious code in @wagni_bot/solana-sdk (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e15edf4a83ab4894a29882072554e493c1673695d5e6aaa734672ba6da084112)
Package @wagni_bot/solana-sdk impersonates a legitimate Solana SDK but contains no SDK functionality — `main` points at postinstall.js, which is a credential-harvesting payload that runs automatically on `npm install` via preinstall/postinstall hooks. On execution the script recursively walks the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet and secret files (id.json, wallet.json, keypair.json, MetaMask/Phantom extension storage in Chrome/Brave/Edge profiles,.env, seed.txt, mnemonic.txt), and reads SSH private keys (~/.ssh/id_*), AWS credentials (~/.aws/credentials), git credentials,.npmrc,.netrc, and Solana/Ethereum keystores. Collected file contents (up to 10KB each) are bundled with os.hostname(), os.userInfo().username, and cwd, then POSTed in cleartext to http://107.161.90.180:7777. The package name typosquats the Solana SDK ecosystem to lure developers into installing the harvester.

Compromised versions (2)

  • 1.0.0
  • 1.2.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.