{"id":"MAL-2026-5861","summary":"Malicious code in solana-mev-bot (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e65516d3e042858742ebfee878ff2de6361994ce0155dcbf53c8e0f24cd5fafb)\nbot.js performs a hardcoded HTTPS GET to api.telegram.org's bot sendMessage endpoint, transmitting host fingerprint data collected via os.hostname(), os.userInfo(), and process.platform. The file also imports child_process and reads from the filesystem (fs.existsSync / fs.readFileSync) alongside the network exfiltration primitive. The destination is an attacker-operated Telegram bot, used as an exfiltration channel to siphon installer host identity and likely credential/wallet material from disk. The package name impersonates a Solana MEV trading utility to lure crypto users into running it.\n","modified":"2026-06-16T04:01:49.138530461Z","published":"2026-06-16T03:00:10Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"modified_time":"2026-06-16T03:00:10Z","import_time":"2026-06-16T03:49:20.111243144Z","source":"amazon-inspector","id":"IN-MAL-2026-006744","sha256":"e65516d3e042858742ebfee878ff2de6361994ce0155dcbf53c8e0f24cd5fafb"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/solana-mev-bot/v/1.0.0"}],"affected":[{"package":{"name":"solana-mev-bot","ecosystem":"npm","purl":"pkg:npm/solana-mev-bot"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"solana-mev-bot-1.0.0.tgz","hashes":{"sha1":"2ec4f70010359d3e333fb7e05c6fbf2020a59c0e","sha512_sri":"sha512-jjVZDLDfs2dxwoejSK45GIfoMAC6yWCnythKJdPdtMBDhe2AlRhCK1YaBi396AjL5eI6YIJvMfE8rBqHWtbTgQ=="}}],"evidence_files":[{"tlsh":"bea184506efb623430f76cea9fb71c02251be603f900d994758d87d24fba128de129ad","sha256":"a3ebeaf11b3c1efde4a7956c0c8bd47a29726c15e825d5a46f2bde2ded3875e9","path":"bot.js"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/solana-mev-bot/MAL-2026-5861.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}