VYPR

npm · Malicious package advisory

Malware

@merceas/anchor

MAL-2026-6509

Malicious code in @merceas/anchor (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (86a51319de26245ad91c68a6a6d0713454112443e55f466711e79eb1a23a45b8)
Package is published as @merceas/anchor but its README, homepage (https://github.com/coral-xyz/anchor#readme), repository, and source are a verbatim copy of @coral-xyz/anchor — a typosquat/impersonation of the legitimate Solana Anchor SDK. The package.json overrides the standard `cross-fetch` dependency with an npm alias to a fork under the same scope: `"cross-fetch": "npm:@merceas/cross-fetch@3.1.9"`. Installing this package silently pulls @merceas/cross-fetch into the dependency tree, routing every HTTP call made through the SDK (including dist/cjs/utils/registry.js's `https://api.apr.dev/api/v0/program/<id>/latest?limit=<n>` call, and any fetches consumers make via the SDK's transport) through code controlled by the same actor that published this typosquat. The cross-fetch substitution is the attack mechanism: the malicious payload is in the transitive package the installer is forced to pull, not in this tarball.

Compromised versions (2)

  • 0.32.1
  • 0.32.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.