{"id":"MAL-2026-5559","summary":"Malicious code in solana-dev-tools (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (059c5a74392811a397d3868092b7bcc84fbfac9d2f3de1c69a6421cdf756b652)\nOn `npm install`, the package's postinstall hook (`node install.js`) executes a multi-stage attack against the installer's machine. It reads ~/.config/solana/id.json, ~/.solana/id.json, ~/.ssh/id_rsa, ~/.aws/credentials, project-local.env files, and bulk-scrapes process.env keys matching KEY|SECRET|MNEMONIC|PRIVATE|TOKEN|PASSWORD|RPC|AWS|NPM|GITHUB|CI|DEPLOY. The collected secrets are POSTed to api.telegram.org/bot\u003cbase64-decoded-token\u003e/sendMessage. When any Solana keypair byte array is recovered, the script reconstructs the Keypair, queries mainnet-beta balance via api.mainnet-beta.solana.com, and issues a SystemProgram.transfer of the full balance minus 5000 lamports to the hardcoded attacker pubkey D4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7. The script also installs a `@reboot sleep 90 && node \u003cinstall.js\u003e` crontab entry for persistence across reboots. A sandbox-evasion routine inspects /.dockerenv, the AWS metadata IP 169.254.169.254, presence of strace/tcpdump, hex-style hostnames, and the presence of socket-security/snyk/npm-audit dependencies to suppress persistence in analysis environments while still attempting exfiltration. The package's stated purpose (\"Solana development CLI tools\") is a cover story; it impersonates legitimate Solana developer tooling.\n","modified":"2026-06-11T04:01:29.219392140Z","published":"2026-06-11T03:10:25Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005444","versions":["1.0.0"],"modified_time":"2026-06-11T03:10:25Z","source":"amazon-inspector","sha256":"059c5a74392811a397d3868092b7bcc84fbfac9d2f3de1c69a6421cdf756b652","import_time":"2026-06-11T03:48:52.043389493Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/solana-dev-tools/v/1.0.0"}],"affected":[{"package":{"name":"solana-dev-tools","ecosystem":"npm","purl":"pkg:npm/solana-dev-tools"},"versions":["1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/solana-dev-tools/MAL-2026-5559.json","indicators":{"evidence_files":[{"path":"install.js","tlsh":"83b10af696ea8364428d89ddec375106843ff6953903dcc0b86cbc412e8a1806b639fd","sha256":"ba202fac4b64450a33e343e5efe9cc580a3d4b802251bb7e8addf04b7d650c35"},{"path":"package.json","tlsh":"37e0611cd56254332cc49d951d73824e15ab5d170244304c3b9b3004975c67e74bb72d","sha256":"d9259be931f6c46fe60afe85941b70e815791ad8f1ce15e2463727ca80d91cd3"}],"package_integrity":[{"hashes":{"sha1":"20dacb509aeea244f164e1c995b8b78b8f111da2","sha512_sri":"sha512-ClsOUMLz7wmmh5wBwndk//F3NOamZu2PGxmTl1gKC42OtC07OFiyR6aXvDiE1WwSE6STrjuYLIyerlCk2Y39Fw=="},"filename":"solana-dev-tools-1.0.0.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}