{"id":"MAL-2026-5358","summary":"Malicious code in solana-core-4 (npm)","details":"Crypto/SSH/wallet stealer, blockchain-helper-0/web3-tools-9 campaign sibling (c960/c961). postinstall scripts/postinstall.js auto-execs, src/index.js harvests ~/.ssh/id_rsa+wallet keys/seeds+env, self-labels \"CRYPTO STEALER\", exfils to IDENTICAL Telegram bot 8227918239 chat 6433587894 (not rotated). Generic-crypto-name + numeric suffix + 1.0.0 pattern.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ossf-package-analysis (efb376d3542aadcfbbb9f689dcfcd73534f230fbe75ed465327444685097fd6d)\nThe OpenSSF Package Analysis project identified 'solana-core-4' @ 1.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-09T12:16:27.332500262Z","published":"2026-06-09T03:26:08Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"import_time":"2026-06-09T12:03:47.849959932Z","sha256":"efb376d3542aadcfbbb9f689dcfcd73534f230fbe75ed465327444685097fd6d","modified_time":"2026-06-09T03:26:08Z","source":"ossf-package-analysis"}]},"references":[{"type":"REPORT","url":"https://app.safedep.io/community/malysis/01KTN5C8PDTMRFMHPJX8KW1TNG"}],"affected":[{"package":{"name":"solana-core-4","ecosystem":"npm","purl":"pkg:npm/solana-core-4"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/solana-core-4/MAL-2026-5358.json"}}],"schema_version":"1.7.5","credits":[{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}