VYPR

npm · Malicious package advisory

Malware

solana-mev-bot

MAL-2026-5861

Malicious code in solana-mev-bot (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e65516d3e042858742ebfee878ff2de6361994ce0155dcbf53c8e0f24cd5fafb)
bot.js performs a hardcoded HTTPS GET to api.telegram.org's bot sendMessage endpoint, transmitting host fingerprint data collected via os.hostname(), os.userInfo(), and process.platform. The file also imports child_process and reads from the filesystem (fs.existsSync / fs.readFileSync) alongside the network exfiltration primitive. The destination is an attacker-operated Telegram bot, used as an exfiltration channel to siphon installer host identity and likely credential/wallet material from disk. The package name impersonates a Solana MEV trading utility to lure crypto users into running it.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.