MAL-2026-5787
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/spl-toke/MAL-2026-5787.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5787
- Published
- 2026-06-15T17:15:36Z
- Modified
- 2026-06-15T17:31:49.486959800Z
- Summary
- Malicious code in @solana-labs/spl-toke (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (490ce5d7e43d8a79aa85bbd24e7140ed074eee472f375092ab9b4cd650ce41f8)
Package name
@solana-labs/spl-tokeis a one-character omission of the legitimate@solana-labs/spl-tokenpackage, abusing the official Solana Labs scope-and-name shape to confuse installers. The bundled outputs at lib/index.cjs.js and lib/index.esm.js contain repeated co-occurrences ofrequire('child_process'),curlinvocations,fetch(calls, andPOSTrequest shapes spread across many lines (e.g. cjs lines 11441, 11466, 11479, 11495, 11535 for child_process; lines 11441, 11495, 11535, 11589, 11629 for curl; lines 5041/5046, 11464, 11558, 11652 for fetch+POST). The combination of (a) a clear typosquat against a top-tier blockchain SDK namespace and (b) bundled subprocess + outbound HTTP primitives in a package that purports to be a thin SPL-token client matches the supply-chain dropper/exfil shape and should not be allowed to install on developer or build machines. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006587", "import_time": "2026-06-15T17:22:52.468191324Z", "source": "amazon-inspector", "versions": [ "1.0.0" ], "modified_time": "2026-06-15T17:15:46Z", "sha256": "0a75812030937ae0ecf6c5d267667b2454058a324711bf3280ed3e97eb5f8b5a" }, { "id": "IN-MAL-2026-006575", "import_time": "2026-06-15T17:22:51.550001368Z", "source": "amazon-inspector", "versions": [ "1.98.112" ], "modified_time": "2026-06-15T17:15:38Z", "sha256": "f92bf1c5408d5c80d1bb78242f7315df61273713e07dfad4892f01d0c451e916" }, { "id": "IN-MAL-2026-006581", "import_time": "2026-06-15T17:22:51.946454218Z", "source": "amazon-inspector", "versions": [ "1.0.8" ], "modified_time": "2026-06-15T17:15:43Z", "sha256": "0b23badd2ad9e0607dabb4d58bc78762691e31c58c9b548db11e0543e21d40fc" }, { "id": "IN-MAL-2026-006577", "import_time": "2026-06-15T17:22:51.706654664Z", "source": "amazon-inspector", "versions": [ "1.98.111" ], "modified_time": "2026-06-15T17:15:40Z", "sha256": "5e83e440dfb72440a6534ecc320ef618b829630c5cb0fbed432f1237fd45f9ec" }, { "id": "IN-MAL-2026-006579", "import_time": "2026-06-15T17:22:51.804434725Z", "source": "amazon-inspector", "versions": [ "1.0.10" ], "modified_time": "2026-06-15T17:15:41Z", "sha256": "75b8b946808d1c68fd9c479993b8ed19b103030b3d37a6feeba099f6d4c02b62" }, { "id": "IN-MAL-2026-006574", "import_time": "2026-06-15T17:22:51.488796677Z", "source": "amazon-inspector", "versions": [ "1.98.112" ], "modified_time": "2026-06-15T17:15:37Z", "sha256": "d10819a7af9f7f0fd57651626b41a13492ba3841206caa870fdcfbbb0516836b" }, { "id": "IN-MAL-2026-006584", "import_time": "2026-06-15T17:22:52.136334677Z", "source": "amazon-inspector", "versions": [ "1.0.5" ], "modified_time": "2026-06-15T17:15:44Z", "sha256": "96715c34660630d56f91507a3de9fe64c47de50c19afe8de61107ecc78a0ac38" }, { "id": "IN-MAL-2026-006582", "import_time": "2026-06-15T17:22:52.013468649Z", "source": "amazon-inspector", "versions": [ "1.0.6" ], "modified_time": "2026-06-15T17:15:43Z", "sha256": "a91d0a65c4acdc298a7775a0f4a2e3a65dd07ede8c4731fabefce12525ae38e6" }, { "id": "IN-MAL-2026-006573", "import_time": "2026-06-15T17:22:51.427877495Z", "versions": [ "1.0.7" ], "source": "amazon-inspector", "modified_time": "2026-06-15T17:15:36Z", "sha256": "ae699ea42c65454a0a9fd55bfd47f9eb9647b9a2dcc604ddd4296cf5a72a32ce" }, { "id": "IN-MAL-2026-006586", "import_time": "2026-06-15T17:22:52.315726076Z", "source": "amazon-inspector", "versions": [ "1.0.0" ], "modified_time": "2026-06-15T17:15:46Z", "sha256": "f4473251be335760795fc2692450b59c06efa8a7227daf3c2d384cd26f1808d5" }, { "id": "IN-MAL-2026-006585", "import_time": "2026-06-15T17:22:52.182372609Z", "source": "amazon-inspector", "versions": [ "1.0.5" ], "modified_time": "2026-06-15T17:15:45Z", "sha256": "16921c38f633d6edf7d7207cdc7cb695891a2f6d8cc6f234144a9ca4f3bd90a0" }, { "id": "IN-MAL-2026-006580", "import_time": "2026-06-15T17:22:51.887968003Z", "source": "amazon-inspector", "versions": [ "1.0.10" ], "modified_time": "2026-06-15T17:15:42Z", "sha256": "1e6354850b8587cc5b396376a5401bbe99f34df134f815a39c9690e37a21e75f" }, { "id": "IN-MAL-2026-006576", "import_time": "2026-06-15T17:22:51.620339983Z", "source": "amazon-inspector", "versions": [ "1.98.111" ], "modified_time": "2026-06-15T17:15:39Z", "sha256": "490ce5d7e43d8a79aa85bbd24e7140ed074eee472f375092ab9b4cd650ce41f8" }, { "id": "IN-MAL-2026-006578", "import_time": "2026-06-15T17:22:51.757647988Z", "source": "amazon-inspector", "versions": [ "1.0.8" ], "sha256": "4c3108856cfed00df1ae55c038ee7354339ba02864924e43baefb1ca13499531", "modified_time": "2026-06-15T17:15:41Z" }, { "id": "IN-MAL-2026-006588", "import_time": "2026-06-15T17:22:52.556768058Z", "versions": [ "1.0.7" ], "source": "amazon-inspector", "modified_time": "2026-06-15T17:15:47Z", "sha256": "6962bb20fc11a76d4a8235c0cf55f36a941167d4cae085e5a391ea7637b8ceb6" }, { "id": "IN-MAL-2026-006583", "import_time": "2026-06-15T17:22:52.086784048Z", "versions": [ "1.0.6" ], "source": "amazon-inspector", "modified_time": "2026-06-15T17:15:44Z", "sha256": "e56cb6f556b8a711af49f2feabc153d8d20fc9f410db77a5da2855382f946803" } ] }- References
-
- https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.10
- https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.98.112
- https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.5
- https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.6
- https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.7
- https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.0
- https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.98.111
- https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.8
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @solana-labs/spl-toke
Package
- Name
- @solana-labs/spl-toke
- View open source insights on deps.dev
- Purl
- pkg:npm/%40solana-labs%2Fspl-toke
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/spl-toke/MAL-2026-5787.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"package_integrity": [
{
"filename": "spl-toke-1.0.10.tgz",
"hashes": {
"sha1": "dcb812e6946a77a1e922c09d6143fbb92608cc43",
"sha512_sri": "sha512-m/Rr01AMHA8WQZK4p+DF8S6gHIBz0qy7Yk1+8PuOGM7K9GjDC8BAD+qEoPFP99Yw9tj/VNghNgkDKw0wpUB5Lg=="
}
}
],
"evidence_files": [
{
"path": "install.js",
"sha256": "5cf2676da1c145a83b72ff6272aa70be6866bc837a2c468f2c7da71e9b11d428",
"tlsh": "956207ebbbba93b8c69220745e2fb00754bbb5134d88d148b84cf4412fa834457a7df9"
},
{
"path": "package.json",
"sha256": "54830e384595b6e88b1f5c7ccada352690ba66b8b389f84b050e611367c2fa20",
"tlsh": "55e02610cd619d6324c42d9b0db78509191a893b0844b80c3bc3718d8fada3f19fb66e"
}
],
"ips": [
"149.154.166.110",
"10.1.0.2",
"104.16.9.34",
"34.160.111.145"
],
"domains": [
"ifconfig.me",
"api.telegram.org"
]
}