{"id":"MAL-2026-5362","summary":"Malicious code in @solana-labs/etherjs (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5c086a8d2c3022bc55743fdca944c8810b997ec203e8742606bf14cccee721db)\nPackage is published as `@solana-labs/etherjs` but its README documents itself as `@solana-labs/web3.js` and instructs consumers to `import { Connection, PublicKey, Keypair } from '@solana-labs/web3.js'` — the legitimate Solana SDK is `@solana/web3.js` (no `-labs`). Developers who copy the README install line land on this package instead. The Node CommonJS and ESM bundles (`lib/index.cjs.js`, `lib/index.esm.js`) are a fork of solana-web3.js with an injected payload that, on `require()`/`import`, reads `process.env` (lines 11365-11366, 11448, 11453, 11542, 11547 in the CJS bundle) and POSTs the harvested data to a hardcoded bare IP `http://104.239.66.223:8899` (line 11384) and to `https://api.telegram.org/bot.../sendMessage` with a fixed `chat_id` (lines 11415-11417). The same blocks repeatedly `require('child_process')` (lines 11441, 11466, 11479, 11495, 11535) and invoke `curl`, enabling attacker-influenced shell execution on the installer host. The browser/native bundles omit the payload, confirming it is gated to Node consumers. Both attacker destinations are hardcoded with no opt-out.\n\n## Source: ossf-package-analysis (f3c9e260b3ed97dca42969f7b7836399ce071c4708cffd473bd6b3cf62925401)\nThe OpenSSF Package Analysis project identified '@solana-labs/etherjs' @ 1.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-11T04:01:31.031597921Z","published":"2026-06-07T05:44:38Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"source":"ossf-package-analysis","modified_time":"2026-06-07T05:44:38Z","import_time":"2026-06-09T12:03:47.084681057Z","sha256":"f3c9e260b3ed97dca42969f7b7836399ce071c4708cffd473bd6b3cf62925401"},{"source":"amazon-inspector","versions":["1.98.111"],"id":"IN-MAL-2026-005453","modified_time":"2026-06-11T03:16:26Z","import_time":"2026-06-11T03:48:53.240708311Z","sha256":"5c086a8d2c3022bc55743fdca944c8810b997ec203e8742606bf14cccee721db"},{"source":"amazon-inspector","versions":["1.98.112"],"id":"IN-MAL-2026-005443","modified_time":"2026-06-11T03:10:04Z","import_time":"2026-06-11T03:48:51.939970699Z","sha256":"87969d62ce8c5d296289915afecd9628f33ba83360c4b120ffca330e91c91cdf"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/etherjs/v/1.98.111"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/etherjs/v/1.98.112"}],"affected":[{"package":{"name":"@solana-labs/etherjs","ecosystem":"npm","purl":"pkg:npm/%40solana-labs%2Fetherjs"},"versions":["1.0.0","1.98.111","1.98.112"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"6b824a6ae60e8c206e9e729626166aceebd8b5c8","sha512_sri":"sha512-rSIC7+wLUtQasShi7W5Bpo9Ko3aQkT8uGmYEWFclnqT7yHoQjxzkpaPG1cko/qfNhWx0ncjTavqYqUbMetpL7g=="},"filename":"etherjs-1.98.111.tgz"}],"evidence_files":[{"path":"package.json","tlsh":"9441f035cd4a8ca35ec4266aa9bd51437661c41b4e95f80c33cb750c8f4daaf227d62e","sha256":"0bd897a24d4568395194d62574107085f61fdbf7cff72b924547f52d49825aa0"},{"path":"lib/index.cjs.js","tlsh":"3c84b2097af260a249a330661f2b6485a736d007350cd8757dce93742f5ebbc86b7fa4","sha256":"22f44f38dd5594d4f8bccb223c6db16bc9d7cca18c4b576eb349d943080d6f46"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/etherjs/MAL-2026-5362.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}