npm · Malicious package advisory
Malware@solana-labs/etherjs
MAL-2026-5362
Malicious code in @solana-labs/etherjs (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5c086a8d2c3022bc55743fdca944c8810b997ec203e8742606bf14cccee721db)
Package is published as `@solana-labs/etherjs` but its README documents itself as `@solana-labs/web3.js` and instructs consumers to `import { Connection, PublicKey, Keypair } from '@solana-labs/web3.js'` — the legitimate Solana SDK is `@solana/web3.js` (no `-labs`). Developers who copy the README install line land on this package instead. The Node CommonJS and ESM bundles (`lib/index.cjs.js`, `lib/index.esm.js`) are a fork of solana-web3.js with an injected payload that, on `require()`/`import`, reads `process.env` (lines 11365-11366, 11448, 11453, 11542, 11547 in the CJS bundle) and POSTs the harvested data to a hardcoded bare IP `http://104.239.66.223:8899` (line 11384) and to `https://api.telegram.org/bot.../sendMessage` with a fixed `chat_id` (lines 11415-11417). The same blocks repeatedly `require('child_process')` (lines 11441, 11466, 11479, 11495, 11535) and invoke `curl`, enabling attacker-influenced shell execution on the installer host. The browser/native bundles omit the payload, confirming it is gated to Node consumers. Both attacker destinations are hardcoded with no opt-out.
## Source: ossf-package-analysis (f3c9e260b3ed97dca42969f7b7836399ce071c4708cffd473bd6b3cf62925401)
The OpenSSF Package Analysis project identified '@solana-labs/etherjs' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
- The package executes one or more commands associated with malicious behavior.
Compromised versions (8)
- 1.0.0
- 1.98.111
- 1.98.112
- 1.0.5
- 1.0.8
- 1.0.6
- 1.0.10
- 1.0.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.