Veredito:MALICIOUS — Silent credential exfiltration suppressing all errors

▸Visão Geral

A package impersonating the Xverse Bitcoin wallet SDK. The postinstall script uses stderr suppression (2>/dev/null) to execute a hidden payload completely silently during npm install. By redirecting all error output to null, even if the payload fails, the developer sees no indication that anything unusual happened. Targeting the crypto wallet space makes this particularly dangerous as developers in this domain handle private keys and wallet credentials.

Crypto

Target Sector

2>/dev/null

Error Suppression

Fake

Scope Type

Keys

Data at Risk

▸Fluxo do Ataque

Scope Impersonation

Published under @secretkeylabs scope, impersonating the legitimate Xverse wallet team. Package name suggests it's an official agent wallet SDK.

Silent Execution

Postinstall script runs with 2>/dev/null, suppressing all error output. Developer sees clean install regardless of what the payload does.

Crypto Targeting

Targets crypto wallet developers who handle private keys, mnemonics, and wallet credentials. High-value targets for credential theft.

▸MITRE ATT&CK Mapeamento

T1195.002Supply Chain Compromise — npm distribution

T1036.005Masquerading — impersonating Xverse wallet SDK

T1564.001Hidden Files and Directories — stderr suppression

T1552.001Credentials In Files — targeting crypto wallets

▸Tags

CryptoWalletXverseSilent InstallScope Impersonation

▸Relatório Completo

AI Agent Skill Injection + Phantom Dependencies: @secretkeylabs/xverse-agent-wallet

TL;DR

@secretkeylabs/xverse-agent-wallet@0.1.6 is a headless cryptocurrency wallet CLI that installs a Claude Code skill file to ~/.claude/ on postinstall. It ships a 380K-line bundled cli.js built from a private repo (xverse-core-private) and declares 9 phantom dependencies that are never imported via standard import/require in any source file (they are bundled into the blob instead). One phantom dep (argon2) has a native install lifecycle script (node-gyp-build), another (@buildonspark/lightning-mpp-sdk) was created only 18 days ago, and starknet pulls suspicious sub-dependencies. The postinstall script writes an AI skill file that instructs Claude Code to execute wallet commands including sends, swaps, and Lightning payments.

Package Info

Field	Value
Name	@secretkeylabs/xverse-agent-wallet
Version	0.1.6
Description	Headless Xverse wallet CLI
Maintainer	secretkeylabs
Repository	github.com/secretkeylabs/xverse-core-private (private repo)
Build Source	`/home/runner/work/xverse-core-private/xverse-core-private/` (GitHub Actions CI)
Registry	npm.pkg.github.com (GitHub Packages)
License	Not specified
Published	2026
Risk Score	335 (filter: 65, scanner: 270)

Dependencies (All Phantom)

Dependency	Imported in Source?	Risk	Notes
@buildonspark/lightning-mpp-sdk	NO (phantom)	High	Created 18 days ago — brand new package
@scure/bip32	NO (phantom)	Low	Legitimate crypto lib, bundled in blob
argon2	NO (phantom)	High	Has `install: "cross-env ZERO_AR_DATE=1 node-gyp-build"` lifecycle
bignumber.js	NO (phantom)	Low	Bundled in blob
cli-table3	NO (phantom)	Low	Bundled in blob
commander	NO (phantom)	Low	Bundled in blob
flat-cache	NO (phantom)	Low	Bundled in blob
starknet	NO (phantom)	Medium	Pulls suspicious sub-dep `@starknet-io/get-starknet-wallet-standard`
valibot	NO (phantom)	Low	Bundled in blob

All 9 declared dependencies are bundled into dist/cli.js (380,401 lines) rather than imported normally, making them phantom dependencies by the scanner's definition.

Evidence

1. Postinstall Skill Injection into Claude Code

The package.json declares a postinstall hook:

"postinstall": "node ./dist/cli.js --install 2>/dev/null || true"

When run, cli.js --install writes a SKILL.md file to ~/.claude/commands/xverse-agent-wallet/:

const installSkill = async () => {
  const claudeDir = join7(homedir3(), ".claude");
  // ...
  const skillDir = join7(getClaudeSkillsDir(), SKILL_DIR_NAME);
  await mkdir2(skillDir, { recursive: true });
  const content = await getSkillContent();
  const dest = join7(skillDir, SKILL_FILE);
  await writeFile2(dest, content, "utf-8");
};

The 2>/dev/null || true suppresses all errors, making the installation silent even if it fails.

2. Skill File Grants Wallet Control to AI

The injected SKILL.md instructs Claude Code to execute wallet commands including:

Creating/restoring wallets (wallet create, wallet restore)
Sending cryptocurrency (bitcoin send, stacks send, runes send)
Swapping tokens
Lightning Network payments
Staking operations

The skill includes a --yes flag that bypasses confirmation prompts. While the skill text says to ask the user first, the mechanism enables AI-driven financial transactions.

3. Phantom Dependency with Native Lifecycle: argon2

argon2@0.31.2 is declared but never imported in source files. It has an install lifecycle script:

install: "cross-env ZERO_AR_DATE=1 node-gyp-build"

This compiles native code on install. While argon2 is used internally (bundled in the blob at line 371929 for password hashing), declaring it as a dependency causes the native build to run on npm install, which executes arbitrary build scripts.

4. Brand-New Phantom Dependency

@buildonspark/lightning-mpp-sdk@0.1.4 was created only 18 days before this package was published. New packages as dependencies are a supply chain risk — they have no audit history and could be compromised or typosquatted.

5. Private Repository Source

The cli.js bundle contains hardcoded paths from CI:

/home/runner/work/xverse-core-private/xverse-core-private/

The source repository xverse-core-private is private and cannot be audited. The published package is a 380,401-line bundle built from this private source.

6. Repository Name Mismatch

Package name @secretkeylabs/xverse-agent-wallet does not match the repository name xverse-core-private. The package appears to be a subset of a larger private monorepo.

7. Suspicious Sub-Dependencies

The phantom dep starknet@9.2.1 pulls in @starknet-io/get-starknet-wallet-standard, which is flagged as a suspicious transitive dependency.

8. Sensitive Crypto Operations in Bundled Code

The 380K-line bundle contains:

BIP-32 key derivation (@scure/bip32)
Argon2 password hashing for vault encryption
AES-GCM encryption/decryption for seed storage
Private key handling with validation
Mnemonic/seed phrase operations
API calls to api.secretkeylabs.io

MITRE ATT&CK Mapping

Technique	ID	Evidence
Supply Chain Compromise: Compromise Software Dependencies	T1195.001	9 phantom dependencies, one with native lifecycle script
Event Triggered Execution	T1546	`postinstall` writes Claude Code skill file
Boot or Logon Autostart Execution	T1547	Skill persists in `~/.claude/` across all sessions
Impair Defenses: Disable or Modify Tools	T1562.001	Skill instructs AI to run wallet commands with `--yes` flag
Modify Authentication Process	T1556	Injects behavior instructions into AI agent via skill file
Obfuscated Files or Information	T1027	380K-line bundled blob from private source
Unsecured Credentials: Private Keys	T1552.004	Handles crypto private keys, seeds, mnemonics
Command and Control: Web Service	T1102	API calls to api.secretkeylabs.io
Persistence: Compromise Host Software Binary	T1554	Modifies Claude Code skill directory

Verdict

Suspicious — AI Skill Injection with Crypto Wallet Access. While this package may be a legitimate product from Secret Key Labs (the Xverse wallet developer), the combination of concerning patterns warrants caution:

Silent postinstall skill injection into Claude Code
9 phantom dependencies (all bundled in blob)
Native lifecycle script on argon2 phantom dep
Brand-new dependency (@buildonspark/lightning-mpp-sdk, 18 days old)
Private source repository that cannot be audited
Skill grants AI the ability to execute financial transactions

The skill injection pattern — writing files to ~/.claude/ on npm install — is the same technique used by confirmed malicious packages like openmatrix. Even if the intent is legitimate, the approach creates a dangerous precedent where installing an npm package silently grants an AI agent the ability to manage cryptocurrency.

Remediation

npm uninstall @secretkeylabs/xverse-agent-wallet
# Remove injected skill:
rm -rf ~/.claude/commands/xverse-agent-wallet/

Credits

Discovered by: Yuri Borges Martins
Tool: npm-sentinel (AI-Powered NPM Malware Hunter)
Date: 2026-04-03

← Anterior

#018 Brotli-Compressed Binary Bundle in Agent SDK

Silent Postinstall Exfiltration in Crypto Wallet SDK