VYPR

npm · Malicious package advisory

Malware

@solana-labs/web3js

MAL-2026-5788

Malicious code in @solana-labs/web3js (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b79f799d106eaad2a09af8eac8b3ac64a46966e392ec423461facd26dc958705)
This package impersonates the legitimate @solana/web3.js library under a confusable scope (@solana-labs/web3js). On `npm install`, the postinstall hook executes install.js, which loads `os`, `child_process`, `fs`, and `https`, collects host identifiers via `os.hostname()` and `os.userInfo()` along with `process.platform`, probes filesystem paths via `fs.existsSync(...)`, and issues HTTPS POST requests carrying the harvested information. install.js also invokes `execSync('powershell...')` and `execSync('curl...')` to run shell commands fetched/triggered at install time. A reference to `http://www.apple.com` appears alongside the exfiltration code, consistent with connectivity-check or decoy behavior. The combination of name-squat against a widely used Solana library, automatic execution at install via postinstall, host enumeration, and shell execution constitutes an installer-targeted supply-chain attack.

Compromised versions (6)

  • 1.0.8
  • 1.0.7
  • 1.0.6
  • 1.0.0
  • 1.0.10
  • 1.0.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.