VYPR

npm · Malicious package advisory

Malware

@solana-labs/web3.js

MAL-2026-5525

Malicious code in @solana-labs/web3.js (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4)
Package `@solana-labs/web3.js` impersonates the legitimate `@solana/web3.js` and re-exports it as cover while running a malicious `postinstall` (`node install.js`). On `npm install`, install.js performs sandbox-evasion checks (hostname pattern scoring for Docker/AWS/CI runners, /proc/uptime, presence of strace/tcpdump/auditd, AWS metadata 169.254.169.254, security-tooling dependencies) and aborts if it detects analysis. Otherwise it enumerates installer secrets — `~/.ssh/id_rsa`, `~/.aws/credentials`, `~/.config/solana/id.json`, `.env` files, and scrapes `process.env` for KEY/SECRET/MNEMONIC/NPM/GITHUB tokens — and harvests crypto material including ETH private keys (`/0x[a-fA-F0-9]{64}/`), Solana 64-byte arrays, and AWS keys. Stolen data is tagged `[ETH]/[SOLANA]/[AWS]/[SSH]/[NPM]/[GITHUB]` and exfiltrated to `api.telegram.org/bot<token>/...` using XOR-obfuscated bot token, chat ID, and HMAC auth secret embedded in install.js. install.js then enters a long-poll loop against Telegram `getUpdates` accepting commands `/keys`, `/ssh`, `/env`, `/wallet`, `/sh <cmd>`, and bare text, executing them via `execSync` (PowerShell on Windows) and returning output to the attacker — a full reverse-shell C2 backdoor. Persistence is established via a `@reboot sleep 90 && node <path>` crontab entry. A hardcoded Solana drain address `D4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7` is present for wallet theft.

Compromised versions (6)

  • 1.0.7
  • 1.0.0
  • 1.0.10
  • 1.0.6
  • 1.0.8
  • 1.98.112

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.