VYPR

npm · Malicious package advisory

Malware

@wagni_bot/web3-agent

MAL-2026-10036

Malicious code in @wagni_bot/web3-agent (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c0a6ae1834b7a2ba134544c33f4f3a26457a5e1ea9858a3d6c22f64bbf17c57)
On `npm install`, postinstall.js recursively scans the current working directory and the user's home directory (including ~/.ethereum, ~/.config/ethereum, ~/.solana, ~/.config/solana, ~/.bitcoin, ~/Library/Ethereum) for files matching wallet/key patterns (.pem,.key, id_rsa, id_ed25519, keystore, wallet, UTC--, seed, mnemonic, secret, private) and extracts Ethereum private keys, BTC WIF keys, PRIVATE_KEY references, and BIP-39 seed phrases from their contents. It also enumerates ~/.ssh and reads every file other than known_hosts/authorized_keys/*.pub (i.e., private SSH keys and ssh config), and filters process.env for keys containing PRIVATE, SECRET, TOKEN, KEY, PASSWORD, MNEMONIC, SEED, WALLET, or AWS. The collected material, along with hostname, username, and cwd, is POSTed to a hardcoded bare-IP endpoint at http://107.161.90.180:7777. The package's index.js exports an empty object (`module.exports = {}`) and the package.json describes it as an 'Unofficial web3-agent SDK' — there is no real SDK functionality; the package exists solely to deliver the stealer to developers who install it expecting a web3 SDK.

Compromised versions (6)

  • 1.1.4
  • 1.1.0
  • 1.1.3
  • 1.1.5
  • 1.0.0
  • 1.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.