MAL-2026-5786

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/ancor/MAL-2026-5786.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5786

Published

2026-06-15T17:17:17Z

Modified

2026-06-15T17:31:49.398949735Z

Summary

Malicious code in @solana-labs/ancor (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4d59b87155558b811b79a7d671f6dcd66bee47adff3a7022ab22d73f18d86369)

Package name @solana-labs/ancor is a one-character typosquat of the legitimate @coral-xyz/anchor / @project-serum/anchor Solana framework, published under the @solana-labs scope to impersonate official Solana Labs tooling. package.json declares "postinstall": "node install.js", which fires automatically on npm install. install.js reads host identifiers via os.hostname() and process.platform, invokes child_process.execSync, issues outbound HTTP/HTTPS traffic (including a POST at line 113 and a curl shell-out at line 173), and references https://api.mainnet-beta.solana.com as cover traffic. The combination of (a) impersonating-scope name targeting a top-tier ecosystem package, (b) a postinstall lifecycle hook executing a script that reads host identity and shells out to network primitives, and (c) execSync of arbitrary commands during install constitutes an install-time host reconnaissance / command-execution payload against any developer or build system that installs this package.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006600",
            "import_time": "2026-06-15T17:22:53.536535124Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-06-15T17:17:28Z",
            "sha256": "06e80dfe88b6d601c9312c9fc13275b703e5d05311232a3f1fa01b1c0a1f041b"
        },
        {
            "id": "IN-MAL-2026-006599",
            "import_time": "2026-06-15T17:22:53.441442777Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-06-15T17:17:27Z",
            "sha256": "4341f9b2c0176d9259176539e69a12bec21bd872733a220066f2af7e8c852012"
        },
        {
            "id": "IN-MAL-2026-006597",
            "import_time": "2026-06-15T17:22:53.323149768Z",
            "versions": [
                "1.0.8"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T17:17:25Z",
            "sha256": "a2dc1225b1e56ff04b029102d142b130bf7d9f65e2458034cd7ef630dcdaf5eb"
        },
        {
            "id": "IN-MAL-2026-006592",
            "import_time": "2026-06-15T17:22:52.810954547Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.9"
            ],
            "sha256": "e5786abeec93a264217ec9d4ca101ba0f491867bacf387dfd15e891fde36b634",
            "modified_time": "2026-06-15T17:17:22Z"
        },
        {
            "id": "IN-MAL-2026-006598",
            "import_time": "2026-06-15T17:22:53.386804733Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.8"
            ],
            "modified_time": "2026-06-15T17:17:25Z",
            "sha256": "0e572d1a61685cd04ccafca460d47a230f0306cca7692e3c1008f2b296592b22"
        },
        {
            "id": "IN-MAL-2026-006590",
            "import_time": "2026-06-15T17:22:52.70320754Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "sha256": "3b513d317445b8431eda1751d82e7f50d2d7ef311a9891a7aa9a2fab706236c5",
            "modified_time": "2026-06-15T17:17:18Z"
        },
        {
            "id": "IN-MAL-2026-006589",
            "import_time": "2026-06-15T17:22:52.659805192Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-15T17:17:17Z",
            "sha256": "3c3f14460d22b93718d3fdf4337cc9b5f3a2526e4cb265a906a9c24d87671f98"
        },
        {
            "id": "IN-MAL-2026-006593",
            "import_time": "2026-06-15T17:22:52.929386825Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.11"
            ],
            "modified_time": "2026-06-15T17:17:22Z",
            "sha256": "42c4ffd55383e8703ce8de56e582e1e0eaa2b57d522edb4b4356febd4134e6a5"
        },
        {
            "id": "IN-MAL-2026-006591",
            "import_time": "2026-06-15T17:22:52.749849529Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.11"
            ],
            "modified_time": "2026-06-15T17:17:21Z",
            "sha256": "4d59b87155558b811b79a7d671f6dcd66bee47adff3a7022ab22d73f18d86369"
        },
        {
            "id": "IN-MAL-2026-006594",
            "import_time": "2026-06-15T17:22:53.05279153Z",
            "versions": [
                "1.0.9"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-15T17:17:23Z",
            "sha256": "5feff6d83078f902bd5e7eaa2dd81f78c95289d86ccfcde5f30325c7609278a7"
        },
        {
            "id": "IN-MAL-2026-006595",
            "import_time": "2026-06-15T17:22:53.174797033Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.7"
            ],
            "modified_time": "2026-06-15T17:17:23Z",
            "sha256": "8e001b6b18e1b0a1841b10d5e41b1403383d65f61e56f5363efcfc4102162892"
        },
        {
            "id": "IN-MAL-2026-006596",
            "import_time": "2026-06-15T17:22:53.241896585Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.7"
            ],
            "sha256": "c2e55c8cd359b7c45614d01f3d8f02bd9f27a9322c52decf65b1524500a0a396",
            "modified_time": "2026-06-15T17:17:24Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @solana-labs/ancor

Package

Name: @solana-labs/ancor; View open source insights on deps.dev
Purl: pkg:npm/%40solana-labs%2Fancor

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

1.0.7

1.0.8

1.0.9

1.0.11

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/ancor/MAL-2026-5786.json"

indicators

{
    "package_integrity": [
        {
            "filename": "ancor-1.0.1.tgz",
            "hashes": {
                "sha1": "f3a17d5b7ce4972c58a87c9ddff158fe5b4135f4",
                "sha512_sri": "sha512-f5xT6CykjGFIv9VehK/BeEtlU5pl5SQg52hAq+cBj2U6MHhuVQfVUs1tXD1V0BKsTg6EOVANcVx3ED0AlVXbWg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "install.js",
            "sha256": "26862c85e8b88b8dcf7606678c286130b852dda467257d6e781c1c02293fc913",
            "tlsh": "5a82e8a506fa5a2456a7f6ac3f0f5019251be10b3508ed55b94c8f946f8932883f2fec"
        },
        {
            "path": "package.json",
            "sha256": "586b641329f23e586cefeef5391e2fe64038b671abc3ea7feb1e27a48a32fd7e",
            "tlsh": "9ad05b641b629d332dc45e9b0d33424d26751d174150744d1b9f3108d19d7b7e8ba62e"
        }
    ],
    "ips": [
        "34.160.111.145",
        "149.154.166.110",
        "104.16.10.34",
        "10.1.0.2"
    ],
    "domains": [
        "ifconfig.me",
        "api.telegram.org"
    ]
}