MAL-2026-5362

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/etherjs/MAL-2026-5362.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5362
Published
2026-06-07T05:44:38Z
Modified
2026-06-12T20:01:52.759236676Z
Summary
Malicious code in @solana-labs/etherjs (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5c086a8d2c3022bc55743fdca944c8810b997ec203e8742606bf14cccee721db)

Package is published as @solana-labs/etherjs but its README documents itself as @solana-labs/web3.js and instructs consumers to import { Connection, PublicKey, Keypair } from '@solana-labs/web3.js' — the legitimate Solana SDK is @solana/web3.js (no -labs). Developers who copy the README install line land on this package instead. The Node CommonJS and ESM bundles (lib/index.cjs.js, lib/index.esm.js) are a fork of solana-web3.js with an injected payload that, on require()/import, reads process.env (lines 11365-11366, 11448, 11453, 11542, 11547 in the CJS bundle) and POSTs the harvested data to a hardcoded bare IP http://104.239.66.223:8899 (line 11384) and to https://api.telegram.org/bot.../sendMessage with a fixed chat_id (lines 11415-11417). The same blocks repeatedly require('child_process') (lines 11441, 11466, 11479, 11495, 11535) and invoke curl, enabling attacker-influenced shell execution on the installer host. The browser/native bundles omit the payload, confirming it is gated to Node consumers. Both attacker destinations are hardcoded with no opt-out.

Source: ossf-package-analysis (f3c9e260b3ed97dca42969f7b7836399ce071c4708cffd473bd6b3cf62925401)

The OpenSSF Package Analysis project identified '@solana-labs/etherjs' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "f3c9e260b3ed97dca42969f7b7836399ce071c4708cffd473bd6b3cf62925401",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-07T05:44:38Z",
            "import_time": "2026-06-09T12:03:47.084681057Z"
        },
        {
            "versions": [
                "1.98.111"
            ],
            "sha256": "5c086a8d2c3022bc55743fdca944c8810b997ec203e8742606bf14cccee721db",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T03:16:26Z",
            "import_time": "2026-06-11T03:48:53.240708311Z",
            "id": "IN-MAL-2026-005453"
        },
        {
            "versions": [
                "1.98.112"
            ],
            "sha256": "87969d62ce8c5d296289915afecd9628f33ba83360c4b120ffca330e91c91cdf",
            "modified_time": "2026-06-11T03:10:04Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-11T03:48:51.939970699Z",
            "id": "IN-MAL-2026-005443"
        },
        {
            "versions": [
                "1.0.5"
            ],
            "sha256": "dedfddcfb304a9fb1ef7feb17cd25b5cfa0583bcd67b1e634734df250cde357f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:08:41Z",
            "import_time": "2026-06-12T19:44:07.496603517Z",
            "id": "IN-MAL-2026-006095"
        },
        {
            "versions": [
                "1.0.8"
            ],
            "sha256": "f524609953350400e7b91186b24cfe6c963a4d056bf2095924e735589d988c5b",
            "modified_time": "2026-06-12T19:08:46Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006098",
            "import_time": "2026-06-12T19:44:07.804864773Z"
        },
        {
            "versions": [
                "1.0.6"
            ],
            "sha256": "10bffd4cf9af4c8810a38b392490f26a2ef2e8f2934676f269387346c9faecaf",
            "modified_time": "2026-06-12T19:08:43Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:07.6078943Z",
            "id": "IN-MAL-2026-006096"
        },
        {
            "versions": [
                "1.0.10"
            ],
            "sha256": "77ffb0e1cfca0e83eba3bde60175625c5d9db1dc2ab2b0ed7c36e371ce65bf7b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:08:39Z",
            "import_time": "2026-06-12T19:44:07.376048879Z",
            "id": "IN-MAL-2026-006094"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "80dbb609794f06305e091b2be9cc04f38e1d00703b686c006c8ba0297fc6d94c",
            "modified_time": "2026-06-12T19:08:38Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:07.182105092Z",
            "id": "IN-MAL-2026-006092"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "83a814b3dbc6b71ab3b64b1444224ff6cef32e405795d1b2c62a2f4a52c5d1d0",
            "modified_time": "2026-06-12T19:08:38Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:07.282518538Z",
            "id": "IN-MAL-2026-006093"
        },
        {
            "versions": [
                "1.0.7"
            ],
            "sha256": "8af8ac56e711c03e9a4ea0df7cfc05d9971ba5ab772857bb997008dabf578a78",
            "modified_time": "2026-06-12T19:08:44Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:07.715255559Z",
            "id": "IN-MAL-2026-006097"
        }
    ]
}
References
Credits

Affected packages

npm / @solana-labs/etherjs

Package

Name
@solana-labs/etherjs
View open source insights on deps.dev
Purl
pkg:npm/%40solana-labs%2Fetherjs

Affected ranges

Affected versions

1.*
1.0.0
1.0.5
1.0.6
1.0.7
1.0.8
1.0.10
1.98.111
1.98.112

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "etherjs-1.98.111.tgz",
            "hashes": {
                "sha512_sri": "sha512-rSIC7+wLUtQasShi7W5Bpo9Ko3aQkT8uGmYEWFclnqT7yHoQjxzkpaPG1cko/qfNhWx0ncjTavqYqUbMetpL7g==",
                "sha1": "6b824a6ae60e8c206e9e729626166aceebd8b5c8"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "0bd897a24d4568395194d62574107085f61fdbf7cff72b924547f52d49825aa0",
            "path": "package.json",
            "tlsh": "9441f035cd4a8ca35ec4266aa9bd51437661c41b4e95f80c33cb750c8f4daaf227d62e"
        },
        {
            "sha256": "22f44f38dd5594d4f8bccb223c6db16bc9d7cca18c4b576eb349d943080d6f46",
            "path": "lib/index.cjs.js",
            "tlsh": "3c84b2097af260a249a330661f2b6485a736d007350cd8757dce93742f5ebbc86b7fa4"
        }
    ],
    "domains": [
        "ifconfig.me",
        "api.telegram.org"
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/etherjs/MAL-2026-5362.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]