@secretkeylabs/xverse-agent-wallet@0.1.6
A package impersonating the Xverse Bitcoin wallet SDK. The postinstall script uses stderr suppression (2>/dev/null) to execute a hidden payload completely silently during npm install. By redirecting all error output to null, even if the payload fails, the developer sees no indication that anything unusual happened. Targeting the crypto wallet space makes this particularly dangerous as developers in this domain handle private keys and wallet credentials.
@secretkeylabs/xverse-agent-wallet@0.1.6 is a headless cryptocurrency wallet CLI that installs a Claude Code skill file to ~/.claude/ on postinstall. It ships a 380K-line bundled cli.js built from a private repo (xverse-core-private) and declares 9 phantom dependencies that are never imported via standard import/require in any source file (they are bundled into the blob instead). One phantom dep (argon2) has a native install lifecycle script (node-gyp-build), another (@buildonspark/lightning-mpp-sdk) was created only 18 days ago, and starknet pulls suspicious sub-dependencies. The postinstall script writes an AI skill file that instructs Claude Code to execute wallet commands including sends, swaps, and Lightning payments.
| Field | Value |
|---|---|
| Name | @secretkeylabs/xverse-agent-wallet |
| Version | 0.1.6 |
| Description | Headless Xverse wallet CLI |
| Maintainer | secretkeylabs |
| Repository | github.com/secretkeylabs/xverse-core-private (private repo) |
| Build Source | /home/runner/work/xverse-core-private/xverse-core-private/ (GitHub Actions CI) |
| Registry | npm.pkg.github.com (GitHub Packages) |
| License | Not specified |
| Published | 2026 |
| Risk Score | 335 (filter: 65, scanner: 270) |
| Dependency | Imported in Source? | Risk | Notes |
|---|---|---|---|
| @buildonspark/lightning-mpp-sdk | NO (phantom) | High | Created 18 days ago — brand new package |
| @scure/bip32 | NO (phantom) | Low | Legitimate crypto lib, bundled in blob |
| argon2 | NO (phantom) | High | Has install: "cross-env ZERO_AR_DATE=1 node-gyp-build" lifecycle |
| bignumber.js | NO (phantom) | Low | Bundled in blob |
| cli-table3 | NO (phantom) | Low | Bundled in blob |
| commander | NO (phantom) | Low | Bundled in blob |
| flat-cache | NO (phantom) | Low | Bundled in blob |
| starknet | NO (phantom) | Medium | Pulls suspicious sub-dep @starknet-io/get-starknet-wallet-standard |
| valibot | NO (phantom) | Low | Bundled in blob |
All 9 declared dependencies are bundled into dist/cli.js (380,401 lines) rather than imported normally, making them phantom dependencies by the scanner's definition.
The package.json declares a postinstall hook:
"postinstall": "node ./dist/cli.js --install 2>/dev/null || true"
When run, cli.js --install writes a SKILL.md file to ~/.claude/commands/xverse-agent-wallet/:
const installSkill = async () => {
const claudeDir = join7(homedir3(), ".claude");
// ...
const skillDir = join7(getClaudeSkillsDir(), SKILL_DIR_NAME);
await mkdir2(skillDir, { recursive: true });
const content = await getSkillContent();
const dest = join7(skillDir, SKILL_FILE);
await writeFile2(dest, content, "utf-8");
};
The 2>/dev/null || true suppresses all errors, making the installation silent even if it fails.
The injected SKILL.md instructs Claude Code to execute wallet commands including:
wallet create, wallet restore)bitcoin send, stacks send, runes send)The skill includes a --yes flag that bypasses confirmation prompts. While the skill text says to ask the user first, the mechanism enables AI-driven financial transactions.
argon2@0.31.2 is declared but never imported in source files. It has an install lifecycle script:
install: "cross-env ZERO_AR_DATE=1 node-gyp-build"
This compiles native code on install. While argon2 is used internally (bundled in the blob at line 371929 for password hashing), declaring it as a dependency causes the native build to run on npm install, which executes arbitrary build scripts.
@buildonspark/lightning-mpp-sdk@0.1.4 was created only 18 days before this package was published. New packages as dependencies are a supply chain risk — they have no audit history and could be compromised or typosquatted.
The cli.js bundle contains hardcoded paths from CI:
/home/runner/work/xverse-core-private/xverse-core-private/
The source repository xverse-core-private is private and cannot be audited. The published package is a 380,401-line bundle built from this private source.
Package name @secretkeylabs/xverse-agent-wallet does not match the repository name xverse-core-private. The package appears to be a subset of a larger private monorepo.
The phantom dep starknet@9.2.1 pulls in @starknet-io/get-starknet-wallet-standard, which is flagged as a suspicious transitive dependency.
The 380K-line bundle contains:
@scure/bip32)api.secretkeylabs.io| Technique | ID | Evidence |
|---|---|---|
| Supply Chain Compromise: Compromise Software Dependencies | T1195.001 | 9 phantom dependencies, one with native lifecycle script |
| Event Triggered Execution | T1546 | postinstall writes Claude Code skill file |
| Boot or Logon Autostart Execution | T1547 | Skill persists in ~/.claude/ across all sessions |
| Impair Defenses: Disable or Modify Tools | T1562.001 | Skill instructs AI to run wallet commands with --yes flag |
| Modify Authentication Process | T1556 | Injects behavior instructions into AI agent via skill file |
| Obfuscated Files or Information | T1027 | 380K-line bundled blob from private source |
| Unsecured Credentials: Private Keys | T1552.004 | Handles crypto private keys, seeds, mnemonics |
| Command and Control: Web Service | T1102 | API calls to api.secretkeylabs.io |
| Persistence: Compromise Host Software Binary | T1554 | Modifies Claude Code skill directory |
Suspicious — AI Skill Injection with Crypto Wallet Access. While this package may be a legitimate product from Secret Key Labs (the Xverse wallet developer), the combination of concerning patterns warrants caution:
argon2 phantom dep@buildonspark/lightning-mpp-sdk, 18 days old)The skill injection pattern — writing files to ~/.claude/ on npm install — is the same technique used by confirmed malicious packages like openmatrix. Even if the intent is legitimate, the approach creates a dangerous precedent where installing an npm package silently grants an AI agent the ability to manage cryptocurrency.
npm uninstall @secretkeylabs/xverse-agent-wallet
# Remove injected skill:
rm -rf ~/.claude/commands/xverse-agent-wallet/