npm · Malicious package advisory
Malwaresolana-mev-bot
MAL-2026-5861
Malicious code in solana-mev-bot (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e65516d3e042858742ebfee878ff2de6361994ce0155dcbf53c8e0f24cd5fafb) bot.js performs a hardcoded HTTPS GET to api.telegram.org's bot sendMessage endpoint, transmitting host fingerprint data collected via os.hostname(), os.userInfo(), and process.platform. The file also imports child_process and reads from the filesystem (fs.existsSync / fs.readFileSync) alongside the network exfiltration primitive. The destination is an attacker-operated Telegram bot, used as an exfiltration channel to siphon installer host identity and likely credential/wallet material from disk. The package name impersonates a Solana MEV trading utility to lure crypto users into running it.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.