OSV-MAL-2026-5363

Malicious code in @solana-labs/web3-js (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d11c336c71c73260c2daa9233636b07bc81badb0b9f54b13241f719710a7f5d4) Package name `@solana-labs/web3-js` impersonates the legitimate `@solana/web3.js` and `index.js` simply re-exports the real package as cover. The `postinstall` hook in package.json runs `node install.js`, which executes a full attack chain on every install: (1) XOR-decodes a hardcoded Telegram bot token and chat id; (2) `collect()` reads installer secrets from `~/.ssh/id_rsa`, `~/.aws/credentials`, `~/.config/solana/id.json`, `~/.solana/id.json`, project and system `.env` files (`/root/.env`, `/home/node/.env`, `/app/.env`), and scrapes `process.env` for variables matching `/KEY|SECRET|MNEMONIC|PRIVATE|TOKEN|AWS|NPM|GITHUB/i`; (3) `exfilNow()` POSTs the harvested secrets in chunks to `api.telegram.org/bot<token>/sendMessage`; (4) writes `/tmp/.cron-tmp` and pipes it through `crontab -` to install an `@reboot sleep 90 && node install.js` persistence entry; (5) enters an infinite `c2Loop()` polling Telegram `getUpdates` and dispatching attacker-supplied `/sh`, `/cmd`, `/keys`, `/ssh`, `/env`, `/wallet` commands through `execSync`, giving the operator arbitrary remote code execution. An HMAC `AUTH_SECRET` and the bot credentials are XOR-obfuscated, with an in-source comment acknowledging anti-scanner intent. ## Source: ossf-package-analysis (99d2ea7302fd72532bbe21dd885a0c456599e7fb1e8055977e35ae563236e530) The OpenSSF Package Analysis project identified '@solana-labs/web3-js' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.