VYPR

npm · Malicious package advisory

Malware

solana-js-client

MAL-2026-5860

Malicious code in solana-js-client (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (855cf386497f33e21db48ae8b87c769fd777f52b585f3d8d5f276fd4c9d42628)
Package masquerades as a 'Drop-in replacement for @solana/web3.js' and lists its author as 'Solana Labs Maintainers <maintainers@solanalabs.com>' to impersonate the legitimate Solana Labs publisher. The published bundles lib/index.cjs.js and lib/index.esm.js contain an injected payload at the tail of the file with no counterpart in src/. The payload requires child_process, shells out via curl/ping, and references a hardcoded plain-HTTP endpoint http://104.239.66.223:8899 (port 8899 is the Solana JSON-RPC port) along with Telegram Bot API sendMessage URLs carrying a chat_id controlled by the attacker. Because the package's primary API is the Connection class, any consumer wallet or dApp that imports this drop-in replacement can have its outbound RPC traffic, signed transactions, or seed material silently rerouted to the attacker-owned RPC and exfiltrated to the attacker's Telegram bot. Indicators: rogue RPC at 104.239.66.223:8899; exfiltration channel via api.telegram.org/bot<redacted>/sendMessage.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.