{"id":"MAL-2026-5525","summary":"Malicious code in @solana-labs/web3.js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4)\nPackage `@solana-labs/web3.js` impersonates the legitimate `@solana/web3.js` and re-exports it as cover while running a malicious `postinstall` (`node install.js`). On `npm install`, install.js performs sandbox-evasion checks (hostname pattern scoring for Docker/AWS/CI runners, /proc/uptime, presence of strace/tcpdump/auditd, AWS metadata 169.254.169.254, security-tooling dependencies) and aborts if it detects analysis. Otherwise it enumerates installer secrets — `~/.ssh/id_rsa`, `~/.aws/credentials`, `~/.config/solana/id.json`, `.env` files, and scrapes `process.env` for KEY/SECRET/MNEMONIC/NPM/GITHUB tokens — and harvests crypto material including ETH private keys (`/0x[a-fA-F0-9]{64}/`), Solana 64-byte arrays, and AWS keys. Stolen data is tagged `[ETH]/[SOLANA]/[AWS]/[SSH]/[NPM]/[GITHUB]` and exfiltrated to `api.telegram.org/bot\u003ctoken\u003e/...` using XOR-obfuscated bot token, chat ID, and HMAC auth secret embedded in install.js. install.js then enters a long-poll loop against Telegram `getUpdates` accepting commands `/keys`, `/ssh`, `/env`, `/wallet`, `/sh \u003ccmd\u003e`, and bare text, executing them via `execSync` (PowerShell on Windows) and returning output to the attacker — a full reverse-shell C2 backdoor. Persistence is established via a `@reboot sleep 90 && node \u003cpath\u003e` crontab entry. A hardcoded Solana drain address `D4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7` is present for wallet theft.\n","modified":"2026-06-11T04:01:30.971479660Z","published":"2026-06-10T18:37:05Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005289","sha256":"91b0523027116b3981b0f1dfe925f01d8956eb19817aae6ea7d0022d5357fba4","versions":["1.0.7"],"modified_time":"2026-06-10T18:37:05Z","source":"amazon-inspector","import_time":"2026-06-10T19:23:48.407752036Z"},{"id":"IN-MAL-2026-005412","sha256":"ecbc63549cc76fd907dd706b2179b18cd8c55b268dd09d8d9251bf809959d0ff","versions":["1.0.0"],"modified_time":"2026-06-11T02:56:32Z","source":"amazon-inspector","import_time":"2026-06-11T03:48:48.040739264Z"},{"id":"IN-MAL-2026-005413","sha256":"4d8c1fbfa898eecbdb8a68ea66a8df992831e3e5162eaddefc00aac759bbeca6","versions":["1.0.10"],"modified_time":"2026-06-11T02:56:36Z","source":"amazon-inspector","import_time":"2026-06-11T03:48:48.167932571Z"},{"id":"IN-MAL-2026-005411","modified_time":"2026-06-11T02:56:32Z","versions":["1.0.0"],"import_time":"2026-06-11T03:48:47.930436913Z","source":"amazon-inspector","sha256":"71cb6a46817602611ef7fff42f375bd177bcb9e0a896cf29dfdbd7e637ca8f11"},{"id":"IN-MAL-2026-005415","sha256":"91b279bb9db78faa1c5e6093b86517d3203181c5b832cbc8a5389b10173eb9aa","versions":["1.0.6"],"modified_time":"2026-06-11T02:56:43Z","source":"amazon-inspector","import_time":"2026-06-11T03:48:48.448091892Z"},{"id":"IN-MAL-2026-005414","sha256":"a72f1201ef049594dc4486cbb51dab1a840d8ff0ba9a9b54cabfd28bc16c0c60","versions":["1.0.8"],"modified_time":"2026-06-11T02:56:40Z","source":"amazon-inspector","import_time":"2026-06-11T03:48:48.267985431Z"},{"id":"IN-MAL-2026-005410","import_time":"2026-06-11T03:48:47.805030599Z","versions":["1.98.112"],"sha256":"e2d5a23bad2592218c4af9410b15a1f7f5cf1700cf5a8241e3ffeec8106c53e6","source":"amazon-inspector","modified_time":"2026-06-11T02:56:19Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/web3.js/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/web3.js/v/1.0.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/web3.js/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/web3.js/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/web3.js/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/web3.js/v/1.98.112"}],"affected":[{"package":{"name":"@solana-labs/web3.js","ecosystem":"npm","purl":"pkg:npm/%40solana-labs%2Fweb3.js"},"versions":["1.0.7","1.0.0","1.0.10","1.0.6","1.0.8","1.98.112"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/web3.js/MAL-2026-5525.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"3c4219bbf7a993b8c69a20785e1fb10b947b79134d84e144f85ce4826f6c24413a7cf9","path":"install.js","sha256":"e2f55065f26c6337b01f1e944df3f4c13a374b1b47ee8771a5e5680f9324c97e"}],"package_integrity":[{"hashes":{"sha1":"6521dabf12b7042da38d9f566ed10f74ad32b77a","sha512_sri":"sha512-tlYdcAHCeVemdvK8j8FpPJU4oBgQxguv3BMp4EDOXq16nd9D7YEVy7li4ilkGYXdw+wf7gJS3POOtDokbseIwQ=="},"filename":"web3.js-1.0.7.tgz"}],"domains":["ifconfig.me","api.telegram.org"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}