npm · Malicious package advisory
Malwareexodus-solana-sdk
MAL-2026-5442
Malicious code in exodus-solana-sdk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ecffe98bff5e1c4655631cf8f92b1b1ccb534e0eeaa7043fab0d5fa1fbfabc35) Package name impersonates the Exodus cryptocurrency wallet brand (exodus-solana-sdk). package.json declares a postinstall hook (`node src/canary.js`) that fires automatically on `npm install`. canary.js performs a DNS lookup and HTTPS GET to a hardcoded `96e03fa6c292469a-172-245-86-254.serveousercontent.com` endpoint — a serveo.net reverse-tunnel domain that is anonymous, mutable, and operator-controlled. The hostname embeds an IPv4 address (172.245.86.254), and the response body is silently discarded (`r.resume()`), confirming the request's purpose is reconnaissance rather than data delivery to the installer. The beacon reveals the installer's egress IP, DNS resolver, and install-time event to whoever controls the tunnel. The package's own description self-identifies as a 'Security research canary — Exodus HackerOne PoC. Not a real package.', but it is published to the public npm registry where any developer who mistypes the package name will execute the beacon. Self-declared research framing does not neutralize installer-side harm: install-time outbound network to an anonymous tunnel under a brand-impersonating package name is the typosquat-reconnaissance attack shape.
Compromised versions (1)
- 99.0.0-canary.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.