{"id":"MAL-2026-5787","summary":"Malicious code in @solana-labs/spl-toke (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (490ce5d7e43d8a79aa85bbd24e7140ed074eee472f375092ab9b4cd650ce41f8)\nPackage name `@solana-labs/spl-toke` is a one-character omission of the legitimate `@solana-labs/spl-token` package, abusing the official Solana Labs scope-and-name shape to confuse installers. The bundled outputs at lib/index.cjs.js and lib/index.esm.js contain repeated co-occurrences of `require('child_process')`, `curl` invocations, `fetch(` calls, and `POST` request shapes spread across many lines (e.g. cjs lines 11441, 11466, 11479, 11495, 11535 for child_process; lines 11441, 11495, 11535, 11589, 11629 for curl; lines 5041/5046, 11464, 11558, 11652 for fetch+POST). The combination of (a) a clear typosquat against a top-tier blockchain SDK namespace and (b) bundled subprocess + outbound HTTP primitives in a package that purports to be a thin SPL-token client matches the supply-chain dropper/exfil shape and should not be allowed to install on developer or build machines.\n","modified":"2026-06-15T17:31:49.486959800Z","published":"2026-06-15T17:15:36Z","database_specific":{"malicious-packages-origins":[{"sha256":"0a75812030937ae0ecf6c5d267667b2454058a324711bf3280ed3e97eb5f8b5a","id":"IN-MAL-2026-006587","modified_time":"2026-06-15T17:15:46Z","import_time":"2026-06-15T17:22:52.468191324Z","source":"amazon-inspector","versions":["1.0.0"]},{"versions":["1.98.112"],"id":"IN-MAL-2026-006575","modified_time":"2026-06-15T17:15:38Z","import_time":"2026-06-15T17:22:51.550001368Z","source":"amazon-inspector","sha256":"f92bf1c5408d5c80d1bb78242f7315df61273713e07dfad4892f01d0c451e916"},{"sha256":"0b23badd2ad9e0607dabb4d58bc78762691e31c58c9b548db11e0543e21d40fc","id":"IN-MAL-2026-006581","modified_time":"2026-06-15T17:15:43Z","import_time":"2026-06-15T17:22:51.946454218Z","source":"amazon-inspector","versions":["1.0.8"]},{"sha256":"5e83e440dfb72440a6534ecc320ef618b829630c5cb0fbed432f1237fd45f9ec","id":"IN-MAL-2026-006577","modified_time":"2026-06-15T17:15:40Z","import_time":"2026-06-15T17:22:51.706654664Z","source":"amazon-inspector","versions":["1.98.111"]},{"sha256":"75b8b946808d1c68fd9c479993b8ed19b103030b3d37a6feeba099f6d4c02b62","id":"IN-MAL-2026-006579","import_time":"2026-06-15T17:22:51.804434725Z","modified_time":"2026-06-15T17:15:41Z","source":"amazon-inspector","versions":["1.0.10"]},{"sha256":"d10819a7af9f7f0fd57651626b41a13492ba3841206caa870fdcfbbb0516836b","id":"IN-MAL-2026-006574","modified_time":"2026-06-15T17:15:37Z","import_time":"2026-06-15T17:22:51.488796677Z","source":"amazon-inspector","versions":["1.98.112"]},{"versions":["1.0.5"],"id":"IN-MAL-2026-006584","modified_time":"2026-06-15T17:15:44Z","import_time":"2026-06-15T17:22:52.136334677Z","source":"amazon-inspector","sha256":"96715c34660630d56f91507a3de9fe64c47de50c19afe8de61107ecc78a0ac38"},{"versions":["1.0.6"],"id":"IN-MAL-2026-006582","modified_time":"2026-06-15T17:15:43Z","import_time":"2026-06-15T17:22:52.013468649Z","source":"amazon-inspector","sha256":"a91d0a65c4acdc298a7775a0f4a2e3a65dd07ede8c4731fabefce12525ae38e6"},{"versions":["1.0.7"],"id":"IN-MAL-2026-006573","modified_time":"2026-06-15T17:15:36Z","import_time":"2026-06-15T17:22:51.427877495Z","source":"amazon-inspector","sha256":"ae699ea42c65454a0a9fd55bfd47f9eb9647b9a2dcc604ddd4296cf5a72a32ce"},{"sha256":"f4473251be335760795fc2692450b59c06efa8a7227daf3c2d384cd26f1808d5","id":"IN-MAL-2026-006586","modified_time":"2026-06-15T17:15:46Z","import_time":"2026-06-15T17:22:52.315726076Z","source":"amazon-inspector","versions":["1.0.0"]},{"sha256":"16921c38f633d6edf7d7207cdc7cb695891a2f6d8cc6f234144a9ca4f3bd90a0","id":"IN-MAL-2026-006585","modified_time":"2026-06-15T17:15:45Z","import_time":"2026-06-15T17:22:52.182372609Z","source":"amazon-inspector","versions":["1.0.5"]},{"sha256":"1e6354850b8587cc5b396376a5401bbe99f34df134f815a39c9690e37a21e75f","id":"IN-MAL-2026-006580","modified_time":"2026-06-15T17:15:42Z","import_time":"2026-06-15T17:22:51.887968003Z","source":"amazon-inspector","versions":["1.0.10"]},{"sha256":"490ce5d7e43d8a79aa85bbd24e7140ed074eee472f375092ab9b4cd650ce41f8","id":"IN-MAL-2026-006576","modified_time":"2026-06-15T17:15:39Z","import_time":"2026-06-15T17:22:51.620339983Z","source":"amazon-inspector","versions":["1.98.111"]},{"sha256":"4c3108856cfed00df1ae55c038ee7354339ba02864924e43baefb1ca13499531","id":"IN-MAL-2026-006578","modified_time":"2026-06-15T17:15:41Z","import_time":"2026-06-15T17:22:51.757647988Z","source":"amazon-inspector","versions":["1.0.8"]},{"versions":["1.0.7"],"id":"IN-MAL-2026-006588","modified_time":"2026-06-15T17:15:47Z","import_time":"2026-06-15T17:22:52.556768058Z","source":"amazon-inspector","sha256":"6962bb20fc11a76d4a8235c0cf55f36a941167d4cae085e5a391ea7637b8ceb6"},{"versions":["1.0.6"],"id":"IN-MAL-2026-006583","modified_time":"2026-06-15T17:15:44Z","import_time":"2026-06-15T17:22:52.086784048Z","source":"amazon-inspector","sha256":"e56cb6f556b8a711af49f2feabc153d8d20fc9f410db77a5da2855382f946803"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.98.112"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.98.111"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.8"}],"affected":[{"package":{"name":"@solana-labs/spl-toke","ecosystem":"npm","purl":"pkg:npm/%40solana-labs%2Fspl-toke"},"versions":["1.0.0","1.98.112","1.0.8","1.98.111","1.0.10","1.0.5","1.0.6","1.0.7"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@solana-labs/spl-toke/MAL-2026-5787.json","indicators":{"ips":["149.154.166.110","10.1.0.2","104.16.9.34","34.160.111.145"],"domains":["ifconfig.me","api.telegram.org"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-m/Rr01AMHA8WQZK4p+DF8S6gHIBz0qy7Yk1+8PuOGM7K9GjDC8BAD+qEoPFP99Yw9tj/VNghNgkDKw0wpUB5Lg==","sha1":"dcb812e6946a77a1e922c09d6143fbb92608cc43"},"filename":"spl-toke-1.0.10.tgz"}],"evidence_files":[{"sha256":"5cf2676da1c145a83b72ff6272aa70be6866bc837a2c468f2c7da71e9b11d428","path":"install.js","tlsh":"956207ebbbba93b8c69220745e2fb00754bbb5134d88d148b84cf4412fa834457a7df9"},{"sha256":"54830e384595b6e88b1f5c7ccada352690ba66b8b389f84b050e611367c2fa20","path":"package.json","tlsh":"55e02610cd619d6324c42d9b0db78509191a893b0844b80c3bc3718d8fada3f19fb66e"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}