wallet-sdk-9

Details

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+). postinstall auto-execs, src/index.js harvests ~/.ssh/id_rsa+id_ed25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated). Campaign now uses inflated version (3.7.73) not 1.0.0.

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dd38e082e2657a6a3f8ffbab9bbad8dc1e1f2c460bb65546640f818d3077dad6)
On install (postinstall lifecycle hook) and on require of the main module, src/index.js scans the installer's home directory and current working directory for crypto wallet material (Solana id.json, Ethereum keystore, Bitcoin wallet.dat, Tron/Sui/Aptos wallets), SSH private keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519), and project secrets (.env, mnemonic.txt, seed.txt, private.key). Discovered files are uploaded to api.telegram.org using a hardcoded bot token and chat_id (bot 8227918239, chat 6433587894) via sendDocument. An isTestEnvironment() guard at src/index.js:10-26 suppresses execution in CI and sandboxed environments by checking CI/GITHUB_ACTIONS/JENKINS_HOME/NODE_ENV markers, Docker-style 12-hex hostnames, and runner/sandbox/docker usernames, ensuring the payload only fires on real developer machines. The package self-labels its exfiltration message as a 'CRYPTO STEALER' and ships no legitimate wallet SDK functionality despite its name; metadata is placeholder ('Utility library', empty README, generic author) consistent with a lure targeting developers searching for wallet SDKs.

Compromised versions (1)

• 3.7.73

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.