npm · Malicious package advisory
Malware@solana-labs/ancor
MAL-2026-5786
Malicious code in @solana-labs/ancor (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (4d59b87155558b811b79a7d671f6dcd66bee47adff3a7022ab22d73f18d86369) Package name `@solana-labs/ancor` is a one-character typosquat of the legitimate `@coral-xyz/anchor` / `@project-serum/anchor` Solana framework, published under the `@solana-labs` scope to impersonate official Solana Labs tooling. `package.json` declares `"postinstall": "node install.js"`, which fires automatically on `npm install`. install.js reads host identifiers via `os.hostname()` and `process.platform`, invokes `child_process.execSync`, issues outbound HTTP/HTTPS traffic (including a `POST` at line 113 and a `curl` shell-out at line 173), and references `https://api.mainnet-beta.solana.com` as cover traffic. The combination of (a) impersonating-scope name targeting a top-tier ecosystem package, (b) a postinstall lifecycle hook executing a script that reads host identity and shells out to network primitives, and (c) execSync of arbitrary commands during install constitutes an install-time host reconnaissance / command-execution payload against any developer or build system that installs this package.
Compromised versions (6)
- 1.0.1
- 1.0.8
- 1.0.9
- 1.0.0
- 1.0.11
- 1.0.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.