MAL-2026-10026
Malicious code in @wagni_bot/hyperliquid-sdk (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (ca6ec83c9621f8afc9616d49876cc451ca8d99397d99288889b81298eb410d7e) The package is scoped and named to impersonate the Hyperliquid exchange SDK (@wagni_bot/hyperliquid-sdk) but ships no SDK code — only a harvester in postinstall.js that is wired to run automatically on npm install via both preinstall and postinstall lifecycle hooks. On install, the script scans the installer's home directory, Desktop, Documents, Downloads, /root, and /tmp for wallet-related artifacts (id.json, wallet.json, keystore.json, metamask.json, phantom.json, seed.txt, mnemonic.txt,.env, credentials.json,.npmrc,.git-credentials,.netrc), reads Solana/Ethereum keystores, ~/.ssh/ private keys, ~/.aws/credentials, ~/.git-credentials, and Chrome/Brave/Edge MetaMask and Phantom extension Local Extension Settings directories. It additionally reads user.txt/.md/.rtf/.csv files, tokenizes their content, and if 10 or more tokens match a BIP39 wordlist, uploads the file. All collected contents, along with hostname, username, and cwd, are POSTed to hardcoded endpoint http://107.161.90.180:7777. The package name impersonation targets crypto developers looking for the legitimate Hyperliquid SDK.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for @wagni_bot/hyperliquid-sdk (npm). Pin to a known-safe version or switch to an alternative.
참고
- https://www.npmjs.com/package/@wagni_bot/hyperliquid-sdk/v/1.1.5 [PACKAGE]
- https://www.npmjs.com/package/@wagni_bot/hyperliquid-sdk/v/1.0.0 [PACKAGE]
- https://www.npmjs.com/package/@wagni_bot/hyperliquid-sdk/v/1.1.4 [PACKAGE]
- https://www.npmjs.com/package/@wagni_bot/hyperliquid-sdk/v/1.2.0 [PACKAGE]
- https://www.npmjs.com/package/@wagni_bot/hyperliquid-sdk/v/1.1.0 [PACKAGE]
- https://www.npmjs.com/package/@wagni_bot/hyperliquid-sdk/v/1.1.1 [PACKAGE]
- https://www.npmjs.com/package/@wagni_bot/hyperliquid-sdk/v/1.1.3 [PACKAGE]