VYPR

npm · Malicious package advisory

Malware

@solana-labs/spl-toke

MAL-2026-5787

Malicious code in @solana-labs/spl-toke (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (490ce5d7e43d8a79aa85bbd24e7140ed074eee472f375092ab9b4cd650ce41f8)
Package name `@solana-labs/spl-toke` is a one-character omission of the legitimate `@solana-labs/spl-token` package, abusing the official Solana Labs scope-and-name shape to confuse installers. The bundled outputs at lib/index.cjs.js and lib/index.esm.js contain repeated co-occurrences of `require('child_process')`, `curl` invocations, `fetch(` calls, and `POST` request shapes spread across many lines (e.g. cjs lines 11441, 11466, 11479, 11495, 11535 for child_process; lines 11441, 11495, 11535, 11589, 11629 for curl; lines 5041/5046, 11464, 11558, 11652 for fetch+POST). The combination of (a) a clear typosquat against a top-tier blockchain SDK namespace and (b) bundled subprocess + outbound HTTP primitives in a package that purports to be a thin SPL-token client matches the supply-chain dropper/exfil shape and should not be allowed to install on developer or build machines.

Compromised versions (8)

  • 1.0.0
  • 1.98.112
  • 1.0.8
  • 1.98.111
  • 1.0.10
  • 1.0.5
  • 1.0.6
  • 1.0.7

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.