{"id":"MAL-2026-5786","summary":"Malicious code in @solana-labs/ancor (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4d59b87155558b811b79a7d671f6dcd66bee47adff3a7022ab22d73f18d86369)\nPackage name `@solana-labs/ancor` is a one-character typosquat of the legitimate `@coral-xyz/anchor` / `@project-serum/anchor` Solana framework, published under the `@solana-labs` scope to impersonate official Solana Labs tooling. `package.json` declares `\"postinstall\": \"node install.js\"`, which fires automatically on `npm install`. install.js reads host identifiers via `os.hostname()` and `process.platform`, invokes `child_process.execSync`, issues outbound HTTP/HTTPS traffic (including a `POST` at line 113 and a `curl` shell-out at line 173), and references `https://api.mainnet-beta.solana.com` as cover traffic. The combination of (a) impersonating-scope name targeting a top-tier ecosystem package, (b) a postinstall lifecycle hook executing a script that reads host identity and shells out to network primitives, and (c) execSync of arbitrary commands during install constitutes an install-time host reconnaissance / command-execution payload against any developer or build system that installs this package.\n","modified":"2026-06-15T17:31:49.398949735Z","published":"2026-06-15T17:17:17Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.1"],"id":"IN-MAL-2026-006600","modified_time":"2026-06-15T17:17:28Z","sha256":"06e80dfe88b6d601c9312c9fc13275b703e5d05311232a3f1fa01b1c0a1f041b","import_time":"2026-06-15T17:22:53.536535124Z","source":"amazon-inspector"},{"versions":["1.0.1"],"id":"IN-MAL-2026-006599","modified_time":"2026-06-15T17:17:27Z","sha256":"4341f9b2c0176d9259176539e69a12bec21bd872733a220066f2af7e8c852012","source":"amazon-inspector","import_time":"2026-06-15T17:22:53.441442777Z"},{"versions":["1.0.8"],"id":"IN-MAL-2026-006597","modified_time":"2026-06-15T17:17:25Z","sha256":"a2dc1225b1e56ff04b029102d142b130bf7d9f65e2458034cd7ef630dcdaf5eb","source":"amazon-inspector","import_time":"2026-06-15T17:22:53.323149768Z"},{"versions":["1.0.9"],"id":"IN-MAL-2026-006592","modified_time":"2026-06-15T17:17:22Z","sha256":"e5786abeec93a264217ec9d4ca101ba0f491867bacf387dfd15e891fde36b634","import_time":"2026-06-15T17:22:52.810954547Z","source":"amazon-inspector"},{"versions":["1.0.8"],"id":"IN-MAL-2026-006598","modified_time":"2026-06-15T17:17:25Z","sha256":"0e572d1a61685cd04ccafca460d47a230f0306cca7692e3c1008f2b296592b22","import_time":"2026-06-15T17:22:53.386804733Z","source":"amazon-inspector"},{"versions":["1.0.0"],"id":"IN-MAL-2026-006590","modified_time":"2026-06-15T17:17:18Z","sha256":"3b513d317445b8431eda1751d82e7f50d2d7ef311a9891a7aa9a2fab706236c5","import_time":"2026-06-15T17:22:52.70320754Z","source":"amazon-inspector"},{"versions":["1.0.0"],"id":"IN-MAL-2026-006589","modified_time":"2026-06-15T17:17:17Z","sha256":"3c3f14460d22b93718d3fdf4337cc9b5f3a2526e4cb265a906a9c24d87671f98","source":"amazon-inspector","import_time":"2026-06-15T17:22:52.659805192Z"},{"versions":["1.0.11"],"id":"IN-MAL-2026-006593","modified_time":"2026-06-15T17:17:22Z","sha256":"42c4ffd55383e8703ce8de56e582e1e0eaa2b57d522edb4b4356febd4134e6a5","source":"amazon-inspector","import_time":"2026-06-15T17:22:52.929386825Z"},{"versions":["1.0.11"],"id":"IN-MAL-2026-006591","modified_time":"2026-06-15T17:17:21Z","sha256":"4d59b87155558b811b79a7d671f6dcd66bee47adff3a7022ab22d73f18d86369","source":"amazon-inspector","import_time":"2026-06-15T17:22:52.749849529Z"},{"versions":["1.0.9"],"id":"IN-MAL-2026-006594","modified_time":"2026-06-15T17:17:23Z","sha256":"5feff6d83078f902bd5e7eaa2dd81f78c95289d86ccfcde5f30325c7609278a7","source":"amazon-inspector","import_time":"2026-06-15T17:22:53.05279153Z"},{"versions":["1.0.7"],"id":"IN-MAL-2026-006595","modified_time":"2026-06-15T17:17:23Z","sha256":"8e001b6b18e1b0a1841b10d5e41b1403383d65f61e56f5363efcfc4102162892","import_time":"2026-06-15T17:22:53.174797033Z","source":"amazon-inspector"},{"versions":["1.0.7"],"id":"IN-MAL-2026-006596","modified_time":"2026-06-15T17:17:24Z","sha256":"c2e55c8cd359b7c45614d01f3d8f02bd9f27a9322c52decf65b1524500a0a396","import_time":"2026-06-15T17:22:53.241896585Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/ancor/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/ancor/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/ancor/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/ancor/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/ancor/v/1.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/ancor/v/1.0.7"}],"affected":[{"package":{"name":"@solana-labs/ancor","ecosystem":"npm","purl":"pkg:npm/%40solana-labs%2Fancor"},"versions":["1.0.1","1.0.8","1.0.9","1.0.0","1.0.11","1.0.7"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"5a82e8a506fa5a2456a7f6ac3f0f5019251be10b3508ed55b94c8f946f8932883f2fec","sha256":"26862c85e8b88b8dcf7606678c286130b852dda467257d6e781c1c02293fc913","path":"install.js"},{"tlsh":"9ad05b641b629d332dc45e9b0d33424d26751d174150744d1b9f3108d19d7b7e8ba62e","sha256":"586b641329f23e586cefeef5391e2fe64038b671abc3ea7feb1e27a48a32fd7e","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-f5xT6CykjGFIv9VehK/BeEtlU5pl5SQg52hAq+cBj2U6MHhuVQfVUs1tXD1V0BKsTg6EOVANcVx3ED0AlVXbWg==","sha1":"f3a17d5b7ce4972c58a87c9ddff158fe5b4135f4"},"filename":"ancor-1.0.1.tgz"}],"ips":["34.160.111.145","149.154.166.110","104.16.10.34","10.1.0.2"],"domains":["ifconfig.me","api.telegram.org"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/ancor/MAL-2026-5786.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}