MAL-2026-5788
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/web3js/MAL-2026-5788.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5788
- Published
- 2026-06-15T17:15:14Z
- Modified
- 2026-06-15T17:31:49.285911692Z
- Summary
- Malicious code in @solana-labs/web3js (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (b79f799d106eaad2a09af8eac8b3ac64a46966e392ec423461facd26dc958705)
This package impersonates the legitimate @solana/web3.js library under a confusable scope (@solana-labs/web3js). On
npm install, the postinstall hook executes install.js, which loadsos,child_process,fs, andhttps, collects host identifiers viaos.hostname()andos.userInfo()along withprocess.platform, probes filesystem paths viafs.existsSync(...), and issues HTTPS POST requests carrying the harvested information. install.js also invokesexecSync('powershell...')andexecSync('curl...')to run shell commands fetched/triggered at install time. A reference tohttp://www.apple.comappears alongside the exfiltration code, consistent with connectivity-check or decoy behavior. The combination of name-squat against a widely used Solana library, automatic execution at install via postinstall, host enumeration, and shell execution constitutes an installer-targeted supply-chain attack. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006571", "import_time": "2026-06-15T17:22:51.267771759Z", "source": "amazon-inspector", "versions": [ "1.0.8" ], "sha256": "154c1945271241882ae87bc62a23737410f47d3c4d5bba00512af9d5a56efe5b", "modified_time": "2026-06-15T17:15:22Z" }, { "id": "IN-MAL-2026-006566", "import_time": "2026-06-15T17:22:50.922747765Z", "source": "amazon-inspector", "versions": [ "1.0.7" ], "sha256": "f5a3f5b21565aec159a2ed4715dd9616dbd9d8dcd43b08bb910193ee588da447", "modified_time": "2026-06-15T17:15:19Z" }, { "id": "IN-MAL-2026-006572", "import_time": "2026-06-15T17:22:51.361048729Z", "source": "amazon-inspector", "versions": [ "1.0.8" ], "modified_time": "2026-06-15T17:15:23Z", "sha256": "fb19c365b2473db2041cdda820b816e8d425e9769e496677b23b8cdeb05872d0" }, { "id": "IN-MAL-2026-006562", "import_time": "2026-06-15T17:22:50.605115454Z", "source": "amazon-inspector", "versions": [ "1.0.6" ], "sha256": "2fc0c80b84dcef600acb67cb8160f0ab52a49ba8df7d4e580466124435d09bbf", "modified_time": "2026-06-15T17:15:16Z" }, { "id": "IN-MAL-2026-006570", "import_time": "2026-06-15T17:22:51.190598973Z", "source": "amazon-inspector", "versions": [ "1.0.0" ], "modified_time": "2026-06-15T17:15:21Z", "sha256": "41785a71dc9811b8238c1766d0cbd16f34bfad11aa726fbfe2a3db4649246782" }, { "id": "IN-MAL-2026-006563", "import_time": "2026-06-15T17:22:50.655806541Z", "source": "amazon-inspector", "versions": [ "1.0.10" ], "modified_time": "2026-06-15T17:15:17Z", "sha256": "9916e7d1a9cf016186b532c3bb0a64848fe7a14da68984d9500a1fdb859bd972" }, { "id": "IN-MAL-2026-006568", "import_time": "2026-06-15T17:22:51.057633915Z", "source": "amazon-inspector", "versions": [ "1.0.7" ], "modified_time": "2026-06-15T17:15:20Z", "sha256": "2c46f3a816002f536ea6d4f674c13988a2da8febe492682f65ec57720df1bc97" }, { "id": "IN-MAL-2026-006565", "import_time": "2026-06-15T17:22:50.801462174Z", "source": "amazon-inspector", "versions": [ "1.0.10" ], "sha256": "36ca261f1c644617beb33a34e2530f5d4d8ded155cc385c65a5ac3dab7fd1123", "modified_time": "2026-06-15T17:15:18Z" }, { "id": "IN-MAL-2026-006567", "import_time": "2026-06-15T17:22:50.966270438Z", "source": "amazon-inspector", "versions": [ "1.0.5" ], "modified_time": "2026-06-15T17:15:20Z", "sha256": "3b60338ab17ff69f9602cd9bf37ca9c25b1335c777bafbd3d4e2f2842d2e05a4" }, { "id": "IN-MAL-2026-006561", "import_time": "2026-06-15T17:22:50.563036753Z", "source": "amazon-inspector", "versions": [ "1.0.5" ], "modified_time": "2026-06-15T17:15:14Z", "sha256": "a3eef5d02e2a799b24f5bc84c6fa4e57bc922a7182ba07145dc07c2ac5199238" }, { "id": "IN-MAL-2026-006569", "import_time": "2026-06-15T17:22:51.127216979Z", "versions": [ "1.0.0" ], "source": "amazon-inspector", "modified_time": "2026-06-15T17:15:21Z", "sha256": "b79f799d106eaad2a09af8eac8b3ac64a46966e392ec423461facd26dc958705" }, { "id": "IN-MAL-2026-006564", "import_time": "2026-06-15T17:22:50.715837093Z", "versions": [ "1.0.6" ], "source": "amazon-inspector", "modified_time": "2026-06-15T17:15:18Z", "sha256": "e83ed61e8324ee03cada69746e85f8e90b42e95ea300fc73e5b47a7e6c214d51" } ] }- References
-
- https://www.npmjs.com/package/@solana-labs/web3js/v/1.0.8
- https://www.npmjs.com/package/@solana-labs/web3js/v/1.0.7
- https://www.npmjs.com/package/@solana-labs/web3js/v/1.0.6
- https://www.npmjs.com/package/@solana-labs/web3js/v/1.0.10
- https://www.npmjs.com/package/@solana-labs/web3js/v/1.0.5
- https://www.npmjs.com/package/@solana-labs/web3js/v/1.0.0
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / @solana-labs/web3js
Package
- Name
- @solana-labs/web3js
- View open source insights on deps.dev
- Purl
- pkg:npm/%40solana-labs%2Fweb3js
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/web3js/MAL-2026-5788.json"
indicators
{
"package_integrity": [
{
"filename": "web3js-1.0.8.tgz",
"hashes": {
"sha1": "8a3386a122b028099102f59c0749dd0371a9d567",
"sha512_sri": "sha512-BVQTY7YZ7XTgcwC+YaPtN4jRS+d/tcMEX23LlTOmqty/Lz78BzMM8N0M9d+/7dd6d/UtirZahTB2gbyUmym8+g=="
}
}
],
"evidence_files": [
{
"path": "install.js",
"sha256": "e2f55065f26c6337b01f1e944df3f4c13a374b1b47ee8771a5e5680f9324c97e",
"tlsh": "3c4219bbf7a993b8c69a20785e1fb10b947b79134d84e144f85ce4826f6c24413a7cf9"
},
{
"path": "package.json",
"sha256": "88b51b762faf72d4a4421e8767bbe6abcf6d9a9bb95ebf4fc11eda2108cdf91f",
"tlsh": "06e0d824ce504e7324c42e9a0d37814a1525481705047c0c7bd3908c8b4e63f28fa11e"
}
],
"ips": [
"104.16.7.34"
],
"domains": [
"ifconfig.me",
"api.telegram.org"
]
}