VDB
KO

MAL-2026-10497

Malicious code in ddok-modal (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0326cd953f229feb020dd3c1cd882246b6bac2cb0be8ffe9e47d063d9f59c9c6) ddok-modal presents itself as a reusable React wallet-connection modal supporting MetaMask, Phantom, Rabby, TronLink, Bitget, Coinbase, and Solflare, but the modal UIs are credential-harvesting impersonations of those wallets. Each wallet 'unlock' modal binds an onChange handler that calls sendKeyToBackend(userId, 'cha', newKeyword, <wallet_type>) on every keystroke and a submit handler that calls sendKeyToBackend(..., 'enter', keyword,...) on form submission, POSTing the captured password / recovery phrase to https://api.wagmiwallet.org/api/keys (with a websocket fallback at wss://api.wagmiwallet.org) and a secondary endpoint at https://wagmirequest.la. The payload includes user_id, key_type, the captured keys, wallet_type, and the visitor's IP address and geolocation (collected via api.ipify.org and ipapi.co at modal open). The modals reproduce real wallet copy ('Enter your password', 'Secret Recovery Phrase', 'MetaMask can't recover your password') and reference legitimate browser-extension IDs (e.g. nkbihfbeogaeaoehlefnkodbefgpgknn for MetaMask) to look authentic. Any web application that embeds this component relays its end users' wallet passwords and seed phrases to the package author's hardcoded infrastructure.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ddok-modal

No fixed version published yet for ddok-modal (npm). Pin to a known-safe version or switch to an alternative.

References