npm · Malicious package advisory
Malwaresolana-dev-tools
MAL-2026-5559
Malicious code in solana-dev-tools (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (059c5a74392811a397d3868092b7bcc84fbfac9d2f3de1c69a6421cdf756b652)
On `npm install`, the package's postinstall hook (`node install.js`) executes a multi-stage attack against the installer's machine. It reads ~/.config/solana/id.json, ~/.solana/id.json, ~/.ssh/id_rsa, ~/.aws/credentials, project-local.env files, and bulk-scrapes process.env keys matching KEY|SECRET|MNEMONIC|PRIVATE|TOKEN|PASSWORD|RPC|AWS|NPM|GITHUB|CI|DEPLOY. The collected secrets are POSTed to api.telegram.org/bot<base64-decoded-token>/sendMessage. When any Solana keypair byte array is recovered, the script reconstructs the Keypair, queries mainnet-beta balance via api.mainnet-beta.solana.com, and issues a SystemProgram.transfer of the full balance minus 5000 lamports to the hardcoded attacker pubkey D4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7. The script also installs a `@reboot sleep 90 && node <install.js>` crontab entry for persistence across reboots. A sandbox-evasion routine inspects /.dockerenv, the AWS metadata IP 169.254.169.254, presence of strace/tcpdump, hex-style hostnames, and the presence of socket-security/snyk/npm-audit dependencies to suppress persistence in analysis environments while still attempting exfiltration. The package's stated purpose ("Solana development CLI tools") is a cover story; it impersonates legitimate Solana developer tooling.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.