MAL-2026-5363
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/web3-js/MAL-2026-5363.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5363
- Published
- 2026-06-07T06:24:24Z
- Modified
- 2026-06-11T04:01:31.988978381Z
- Summary
- Malicious code in @solana-labs/web3-js (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (d11c336c71c73260c2daa9233636b07bc81badb0b9f54b13241f719710a7f5d4)
Package name
@solana-labs/web3-jsimpersonates the legitimate@solana/web3.jsandindex.jssimply re-exports the real package as cover. Thepostinstallhook in package.json runsnode install.js, which executes a full attack chain on every install: (1) XOR-decodes a hardcoded Telegram bot token and chat id; (2)collect()reads installer secrets from~/.ssh/id_rsa,~/.aws/credentials,~/.config/solana/id.json,~/.solana/id.json, project and system.envfiles (/root/.env,/home/node/.env,/app/.env), and scrapesprocess.envfor variables matching/KEY|SECRET|MNEMONIC|PRIVATE|TOKEN|AWS|NPM|GITHUB/i; (3)exfilNow()POSTs the harvested secrets in chunks toapi.telegram.org/bot<token>/sendMessage; (4) writes/tmp/.cron-tmpand pipes it throughcrontab -to install an@reboot sleep 90 && node install.jspersistence entry; (5) enters an infinitec2Loop()polling TelegramgetUpdatesand dispatching attacker-supplied/sh,/cmd,/keys,/ssh,/env,/walletcommands throughexecSync, giving the operator arbitrary remote code execution. An HMACAUTH_SECRETand the bot credentials are XOR-obfuscated, with an in-source comment acknowledging anti-scanner intent.Source: ossf-package-analysis (99d2ea7302fd72532bbe21dd885a0c456599e7fb1e8055977e35ae563236e530)
The OpenSSF Package Analysis project identified '@solana-labs/web3-js' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "1.0.0" ], "sha256": "99d2ea7302fd72532bbe21dd885a0c456599e7fb1e8055977e35ae563236e530", "source": "ossf-package-analysis", "modified_time": "2026-06-07T06:24:24Z", "import_time": "2026-06-09T12:03:47.290321801Z" }, { "id": "IN-MAL-2026-005290", "versions": [ "1.0.8" ], "sha256": "d11c336c71c73260c2daa9233636b07bc81badb0b9f54b13241f719710a7f5d4", "source": "amazon-inspector", "modified_time": "2026-06-10T18:37:25Z", "import_time": "2026-06-10T19:23:48.476766363Z" }, { "id": "IN-MAL-2026-005409", "import_time": "2026-06-11T03:48:47.689933173Z", "sha256": "b0a2c42af0287251c2984acfc704f106684740113ea40c5da378c62fc4a69e21", "source": "amazon-inspector", "modified_time": "2026-06-11T02:55:37Z", "versions": [ "1.0.10" ] }, { "id": "IN-MAL-2026-005406", "versions": [ "1.0.7" ], "sha256": "b9f6f76bf8c61d3aacdd2f3090638e8f080cc0824638655b3fb72dd37b3f30ce", "source": "amazon-inspector", "modified_time": "2026-06-11T02:55:24Z", "import_time": "2026-06-11T03:48:47.283766415Z" }, { "id": "IN-MAL-2026-005405", "versions": [ "1.0.0" ], "sha256": "27d70184288101b007929fe8779472e5cab94bc2bb27bfc7db170a8774775e65", "source": "amazon-inspector", "modified_time": "2026-06-11T02:55:21Z", "import_time": "2026-06-11T03:48:47.138031365Z" }, { "id": "IN-MAL-2026-005408", "versions": [ "1.0.5" ], "sha256": "2a977c26713c23cf6aaee3b5665ac25d2478e37902ba90ce4e5fdd3ee4f7c4e0", "source": "amazon-inspector", "modified_time": "2026-06-11T02:55:31Z", "import_time": "2026-06-11T03:48:47.57904655Z" }, { "id": "IN-MAL-2026-005407", "versions": [ "1.0.6" ], "sha256": "8200c48d8eb6b5f99656b98a2b2cfd846debfeff47c427f4df7282570b3d3320", "source": "amazon-inspector", "modified_time": "2026-06-11T02:55:28Z", "import_time": "2026-06-11T03:48:47.430720938Z" }, { "id": "IN-MAL-2026-005403", "versions": [ "1.98.112" ], "sha256": "98c4ea935a335d409c1404e6ec17048a25e042e91d8bafbe1f0b7fd40186e4a4", "source": "amazon-inspector", "modified_time": "2026-06-11T02:55:16Z", "import_time": "2026-06-11T03:48:46.93831749Z" }, { "id": "IN-MAL-2026-005404", "versions": [ "1.0.0" ], "sha256": "9df98dc6306fe496317b40360eaa2b6238a6b2af8b60b5c390e4f3750e3fec9d", "source": "amazon-inspector", "modified_time": "2026-06-11T02:55:21Z", "import_time": "2026-06-11T03:48:47.042034912Z" } ] }- References
-
- https://www.npmjs.com/package/@solana-labs/web3-js/v/1.0.8
- https://www.npmjs.com/package/@solana-labs/web3-js/v/1.0.10
- https://www.npmjs.com/package/@solana-labs/web3-js/v/1.0.7
- https://www.npmjs.com/package/@solana-labs/web3-js/v/1.0.5
- https://www.npmjs.com/package/@solana-labs/web3-js/v/1.0.6
- https://www.npmjs.com/package/@solana-labs/web3-js/v/1.98.112
- https://www.npmjs.com/package/@solana-labs/web3-js/v/1.0.0
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / @solana-labs/web3-js
Package
- Name
- @solana-labs/web3-js
- View open source insights on deps.dev
- Purl
- pkg:npm/%40solana-labs%2Fweb3-js
Database specific
indicators
{
"evidence_files": [
{
"path": "package.json",
"sha256": "f0af4238cf91ce5c52e041b72f372352f943d5765da096cb44794b3ff2039c0a",
"tlsh": "d4e0d814dd504eb314c86f960d774105556d991b0910b80c3bc7618c4f5d77f64f652e"
},
{
"path": "install.js",
"sha256": "e2f55065f26c6337b01f1e944df3f4c13a374b1b47ee8771a5e5680f9324c97e",
"tlsh": "3c4219bbf7a993b8c69a20785e1fb10b947b79134d84e144f85ce4826f6c24413a7cf9"
}
],
"package_integrity": [
{
"filename": "web3-js-1.0.8.tgz",
"hashes": {
"sha512_sri": "sha512-mHQJJ6GddVFiqwjAGUHiKEaTtSx+o8K0p9G37buBxkm4UnYwJSQcHvn2An+Obtqq4Z7f7uovJhcpi1rjBZ+8Jw==",
"sha1": "886943b948957ca2b6829622395dd60cdb65a6f7"
}
}
],
"domains": [
"api.telegram.org",
"ifconfig.me"
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/web3-js/MAL-2026-5363.json"