-= Per source details. Do not edit below this line.=-
Package is published as @solana-labs/etherjs but its README documents itself as @solana-labs/web3.js and instructs consumers to import { Connection, PublicKey, Keypair } from '@solana-labs/web3.js' — the legitimate Solana SDK is @solana/web3.js (no -labs). Developers who copy the README install line land on this package instead. The Node CommonJS and ESM bundles (lib/index.cjs.js, lib/index.esm.js) are a fork of solana-web3.js with an injected payload that, on require()/import, reads process.env (lines 11365-11366, 11448, 11453, 11542, 11547 in the CJS bundle) and POSTs the harvested data to a hardcoded bare IP http://104.239.66.223:8899 (line 11384) and to https://api.telegram.org/bot.../sendMessage with a fixed chat_id (lines 11415-11417). The same blocks repeatedly require('child_process') (lines 11441, 11466, 11479, 11495, 11535) and invoke curl, enabling attacker-influenced shell execution on the installer host. The browser/native bundles omit the payload, confirming it is gated to Node consumers. Both attacker destinations are hardcoded with no opt-out.
The OpenSSF Package Analysis project identified '@solana-labs/etherjs' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"sha256": "f3c9e260b3ed97dca42969f7b7836399ce071c4708cffd473bd6b3cf62925401",
"source": "ossf-package-analysis",
"modified_time": "2026-06-07T05:44:38Z",
"import_time": "2026-06-09T12:03:47.084681057Z"
},
{
"versions": [
"1.98.111"
],
"sha256": "5c086a8d2c3022bc55743fdca944c8810b997ec203e8742606bf14cccee721db",
"source": "amazon-inspector",
"modified_time": "2026-06-11T03:16:26Z",
"import_time": "2026-06-11T03:48:53.240708311Z",
"id": "IN-MAL-2026-005453"
},
{
"versions": [
"1.98.112"
],
"sha256": "87969d62ce8c5d296289915afecd9628f33ba83360c4b120ffca330e91c91cdf",
"modified_time": "2026-06-11T03:10:04Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T03:48:51.939970699Z",
"id": "IN-MAL-2026-005443"
},
{
"versions": [
"1.0.5"
],
"sha256": "dedfddcfb304a9fb1ef7feb17cd25b5cfa0583bcd67b1e634734df250cde357f",
"source": "amazon-inspector",
"modified_time": "2026-06-12T19:08:41Z",
"import_time": "2026-06-12T19:44:07.496603517Z",
"id": "IN-MAL-2026-006095"
},
{
"versions": [
"1.0.8"
],
"sha256": "f524609953350400e7b91186b24cfe6c963a4d056bf2095924e735589d988c5b",
"modified_time": "2026-06-12T19:08:46Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-006098",
"import_time": "2026-06-12T19:44:07.804864773Z"
},
{
"versions": [
"1.0.6"
],
"sha256": "10bffd4cf9af4c8810a38b392490f26a2ef2e8f2934676f269387346c9faecaf",
"modified_time": "2026-06-12T19:08:43Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:44:07.6078943Z",
"id": "IN-MAL-2026-006096"
},
{
"versions": [
"1.0.10"
],
"sha256": "77ffb0e1cfca0e83eba3bde60175625c5d9db1dc2ab2b0ed7c36e371ce65bf7b",
"source": "amazon-inspector",
"modified_time": "2026-06-12T19:08:39Z",
"import_time": "2026-06-12T19:44:07.376048879Z",
"id": "IN-MAL-2026-006094"
},
{
"versions": [
"1.0.0"
],
"sha256": "80dbb609794f06305e091b2be9cc04f38e1d00703b686c006c8ba0297fc6d94c",
"modified_time": "2026-06-12T19:08:38Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:44:07.182105092Z",
"id": "IN-MAL-2026-006092"
},
{
"versions": [
"1.0.0"
],
"sha256": "83a814b3dbc6b71ab3b64b1444224ff6cef32e405795d1b2c62a2f4a52c5d1d0",
"modified_time": "2026-06-12T19:08:38Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:44:07.282518538Z",
"id": "IN-MAL-2026-006093"
},
{
"versions": [
"1.0.7"
],
"sha256": "8af8ac56e711c03e9a4ea0df7cfc05d9971ba5ab772857bb997008dabf578a78",
"modified_time": "2026-06-12T19:08:44Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:44:07.715255559Z",
"id": "IN-MAL-2026-006097"
}
]
}{
"package_integrity": [
{
"filename": "etherjs-1.98.111.tgz",
"hashes": {
"sha512_sri": "sha512-rSIC7+wLUtQasShi7W5Bpo9Ko3aQkT8uGmYEWFclnqT7yHoQjxzkpaPG1cko/qfNhWx0ncjTavqYqUbMetpL7g==",
"sha1": "6b824a6ae60e8c206e9e729626166aceebd8b5c8"
}
}
],
"evidence_files": [
{
"sha256": "0bd897a24d4568395194d62574107085f61fdbf7cff72b924547f52d49825aa0",
"path": "package.json",
"tlsh": "9441f035cd4a8ca35ec4266aa9bd51437661c41b4e95f80c33cb750c8f4daaf227d62e"
},
{
"sha256": "22f44f38dd5594d4f8bccb223c6db16bc9d7cca18c4b576eb349d943080d6f46",
"path": "lib/index.cjs.js",
"tlsh": "3c84b2097af260a249a330661f2b6485a736d007350cd8757dce93742f5ebbc86b7fa4"
}
],
"domains": [
"ifconfig.me",
"api.telegram.org"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/etherjs/MAL-2026-5362.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]