MAL-2026-5525
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/web3.js/MAL-2026-5525.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5525
- Published
- 2026-06-10T18:37:05Z
- Modified
- 2026-06-11T04:01:30.971479660Z
- Summary
- Malicious code in @solana-labs/web3.js (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4)
Package
@solana-labs/web3.jsimpersonates the legitimate@solana/web3.jsand re-exports it as cover while running a maliciouspostinstall(node install.js). Onnpm install, install.js performs sandbox-evasion checks (hostname pattern scoring for Docker/AWS/CI runners, /proc/uptime, presence of strace/tcpdump/auditd, AWS metadata 169.254.169.254, security-tooling dependencies) and aborts if it detects analysis. Otherwise it enumerates installer secrets —~/.ssh/id_rsa,~/.aws/credentials,~/.config/solana/id.json,.envfiles, and scrapesprocess.envfor KEY/SECRET/MNEMONIC/NPM/GITHUB tokens — and harvests crypto material including ETH private keys (/0x[a-fA-F0-9]{64}/), Solana 64-byte arrays, and AWS keys. Stolen data is tagged[ETH]/[SOLANA]/[AWS]/[SSH]/[NPM]/[GITHUB]and exfiltrated toapi.telegram.org/bot<token>/...using XOR-obfuscated bot token, chat ID, and HMAC auth secret embedded in install.js. install.js then enters a long-poll loop against TelegramgetUpdatesaccepting commands/keys,/ssh,/env,/wallet,/sh <cmd>, and bare text, executing them viaexecSync(PowerShell on Windows) and returning output to the attacker — a full reverse-shell C2 backdoor. Persistence is established via a@reboot sleep 90 && node <path>crontab entry. A hardcoded Solana drain addressD4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7is present for wallet theft. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005289", "versions": [ "1.0.7" ], "sha256": "91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4", "source": "amazon-inspector", "modified_time": "2026-06-10T18:37:05Z", "import_time": "2026-06-10T19:23:48.407752036Z" }, { "id": "IN-MAL-2026-005412", "versions": [ "1.0.0" ], "sha256": "ecbc63549cc76fd907dd706b2179b18cd8c55b268dd09d8d9251bf809959d0ff", "source": "amazon-inspector", "modified_time": "2026-06-11T02:56:32Z", "import_time": "2026-06-11T03:48:48.040739264Z" }, { "id": "IN-MAL-2026-005413", "versions": [ "1.0.10" ], "sha256": "4d8c1fbfa898eecbdb8a68ea66a8df992831e3e5162eaddefc00aac759bbeca6", "source": "amazon-inspector", "modified_time": "2026-06-11T02:56:36Z", "import_time": "2026-06-11T03:48:48.167932571Z" }, { "id": "IN-MAL-2026-005411", "import_time": "2026-06-11T03:48:47.930436913Z", "sha256": "71cb6a46817602611ef7fff42f375bd177bcb9e0a896cf29dfdbd7e637ca8f11", "source": "amazon-inspector", "modified_time": "2026-06-11T02:56:32Z", "versions": [ "1.0.0" ] }, { "id": "IN-MAL-2026-005415", "versions": [ "1.0.6" ], "sha256": "91b279bb9db78faa1c5e6093b86517d3203181c5b832cbc8a5389b10173eb9aa", "source": "amazon-inspector", "modified_time": "2026-06-11T02:56:43Z", "import_time": "2026-06-11T03:48:48.448091892Z" }, { "id": "IN-MAL-2026-005414", "versions": [ "1.0.8" ], "sha256": "a72f1201ef049594dc4486cbb51dab1a840d8ff0ba9a9b54cabfd28bc16c0c60", "source": "amazon-inspector", "modified_time": "2026-06-11T02:56:40Z", "import_time": "2026-06-11T03:48:48.267985431Z" }, { "id": "IN-MAL-2026-005410", "versions": [ "1.98.112" ], "sha256": "e2d5a23bad2592218c4af9410b15a1f7f5cf1700cf5a8241e3ffeec8106c53e6", "source": "amazon-inspector", "modified_time": "2026-06-11T02:56:19Z", "import_time": "2026-06-11T03:48:47.805030599Z" } ] }- References
-
- https://www.npmjs.com/package/@solana-labs/web3.js/v/1.0.7
- https://www.npmjs.com/package/@solana-labs/web3.js/v/1.0.10
- https://www.npmjs.com/package/@solana-labs/web3.js/v/1.0.0
- https://www.npmjs.com/package/@solana-labs/web3.js/v/1.0.6
- https://www.npmjs.com/package/@solana-labs/web3.js/v/1.0.8
- https://www.npmjs.com/package/@solana-labs/web3.js/v/1.98.112
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @solana-labs/web3.js
Package
- Name
- @solana-labs/web3.js
- View open source insights on deps.dev
- Purl
- pkg:npm/%40solana-labs%2Fweb3.js
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "install.js",
"sha256": "e2f55065f26c6337b01f1e944df3f4c13a374b1b47ee8771a5e5680f9324c97e",
"tlsh": "3c4219bbf7a993b8c69a20785e1fb10b947b79134d84e144f85ce4826f6c24413a7cf9"
}
],
"package_integrity": [
{
"filename": "web3.js-1.0.7.tgz",
"hashes": {
"sha512_sri": "sha512-tlYdcAHCeVemdvK8j8FpPJU4oBgQxguv3BMp4EDOXq16nd9D7YEVy7li4ilkGYXdw+wf7gJS3POOtDokbseIwQ==",
"sha1": "6521dabf12b7042da38d9f566ed10f74ad32b77a"
}
}
],
"domains": [
"ifconfig.me",
"api.telegram.org"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/web3.js/MAL-2026-5525.json"