MAL-2026-5559

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/solana-dev-tools/MAL-2026-5559.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5559

Published

2026-06-11T03:10:25Z

Modified

2026-06-11T04:01:29.219392140Z

Summary

Malicious code in solana-dev-tools (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (059c5a74392811a397d3868092b7bcc84fbfac9d2f3de1c69a6421cdf756b652)

On npm install, the package's postinstall hook (node install.js) executes a multi-stage attack against the installer's machine. It reads ~/.config/solana/id.json, ~/.solana/id.json, ~/.ssh/id_rsa, ~/.aws/credentials, project-local.env files, and bulk-scrapes process.env keys matching KEY|SECRET|MNEMONIC|PRIVATE|TOKEN|PASSWORD|RPC|AWS|NPM|GITHUB|CI|DEPLOY. The collected secrets are POSTed to api.telegram.org/bot<base64-decoded-token>/sendMessage. When any Solana keypair byte array is recovered, the script reconstructs the Keypair, queries mainnet-beta balance via api.mainnet-beta.solana.com, and issues a SystemProgram.transfer of the full balance minus 5000 lamports to the hardcoded attacker pubkey D4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7. The script also installs a @reboot sleep 90 && node <install.js> crontab entry for persistence across reboots. A sandbox-evasion routine inspects /.dockerenv, the AWS metadata IP 169.254.169.254, presence of strace/tcpdump, hex-style hostnames, and the presence of socket-security/snyk/npm-audit dependencies to suppress persistence in analysis environments while still attempting exfiltration. The package's stated purpose ("Solana development CLI tools") is a cover story; it impersonates legitimate Solana developer tooling.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005444",
            "import_time": "2026-06-11T03:48:52.043389493Z",
            "sha256": "059c5a74392811a397d3868092b7bcc84fbfac9d2f3de1c69a6421cdf756b652",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T03:10:25Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/solana-dev-tools/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / solana-dev-tools

Package

Name: solana-dev-tools; View open source insights on deps.dev
Purl: pkg:npm/solana-dev-tools

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "install.js",
            "sha256": "ba202fac4b64450a33e343e5efe9cc580a3d4b802251bb7e8addf04b7d650c35",
            "tlsh": "83b10af696ea8364428d89ddec375106843ff6953903dcc0b86cbc412e8a1806b639fd"
        },
        {
            "path": "package.json",
            "sha256": "d9259be931f6c46fe60afe85941b70e815791ad8f1ce15e2463727ca80d91cd3",
            "tlsh": "37e0611cd56254332cc49d951d73824e15ab5d170244304c3b9b3004975c67e74bb72d"
        }
    ],
    "package_integrity": [
        {
            "filename": "solana-dev-tools-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-ClsOUMLz7wmmh5wBwndk//F3NOamZu2PGxmTl1gKC42OtC07OFiyR6aXvDiE1WwSE6STrjuYLIyerlCk2Y39Fw==",
                "sha1": "20dacb509aeea244f164e1c995b8b78b8f111da2"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/solana-dev-tools/MAL-2026-5559.json"