—

MAL-2026-4708

Malicious code in wallet-agent-ai (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3bb49d047eeab68307095cf3a30ff0d42d745855890f181e4cb53dc2f6903e91) dist/agent.js contains a hardcoded Telegram Bot API endpoint (https://api.telegram.org) used in a fetch/POST call near references to process.env. The package presents itself as a wallet/AI agent but ships a bot-token-bearing C2 channel inside its compiled JS, alongside a third-party API call to api.astrolescent.com. This is the canonical credential/data exfiltration pattern: caller-supplied or environment-derived data is POSTed to a Telegram bot controlled by the package author, giving the author silent access to whatever inputs or env values reach this code path. There is no legitimate reason for a wallet-related library to relay data through a hardcoded Telegram bot endpoint.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / wallet-agent-ai

No fixed version published yet for wallet-agent-ai (npm). Pin to a known-safe version or switch to an alternative.

참고

https://www.npmjs.com/package/wallet-agent-ai/v/1.0.1 [PACKAGE]
https://www.npmjs.com/package/wallet-agent-ai/v/1.0.2 [PACKAGE]