swap-sdk-87

Details

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+). postinstall auto-execs, src/index.js harvests ~/.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated). Inflated version.

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ee4f0ee119ae0ba917865c71f333eaeda049ce99024c50ad7d6c3ce41c1f7005)
On `npm install`, the package's postinstall hook loads src/index.js, which after a 4-second delay and a sandbox/CI-evasion gate enumerates installer-side secrets and uploads them to an attacker-controlled Telegram bot. Targeted paths include `~/.ssh/id_rsa`, `~/.ssh/id_ed25519`, Solana keypair (`~/.config/solana/id.json`), Ethereum/Bitcoin/Tron/Sui/Aptos wallet files, `.env` files, and mnemonic/seed/keystore/secrets files. Stolen contents are POSTed to `api.telegram.org/bot<redacted>/sendDocument` with chat_id `6433587894`. The bot token `8227918239:AAGEMDrBZluDsBBYPxfSyMuv2l3FY8cZCcs` is hardcoded at src/index.js line 6. The code self-identifies with the literal HTML header `CRYPTO STEALER` (src/index.js line 107). An evasion routine `isTestEnvironment()` (src/index.js lines 10–22) suppresses payload execution when CI=true, GITHUB_ACTIONS=true, JENKINS_HOME is set, NODE_ENV is test/development, the hostname matches sandbox/test/ci or a 12-hex docker pattern, or the username contains runner/sandbox/docker — designed to fire only on real developer machines. The package advertises itself as 'Core utilities for blockchain development' with web3/solana/ethereum keywords and a placeholder author 'John Miller', a lure aimed precisely at the crypto-developer population whose machines hold the targeted secrets. The package ships no actual SDK functionality.

Compromised versions (1)

• 4.63.78

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.