VDB
KO

MAL-2026-10591

Malicious code in solana-key-utils (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (68b4680547530fce361014fe8c228734a8ec33bc8c834f46285e371e8f6b9f92) On require(), index.js waits 37 seconds, reads test/fixtures/keypairs.dat (a 53KB base64 blob disguised as a test fixture, no test harness references it), base64-decodes it to ~39KB of opaque JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0700, and spawns 'node syncd.js' detached with stdio ignored. The package then installs scheduled persistence on all three major platforms: a crontab entry running the dropped script every 12 hours on Linux, a scheduled task named 'WinNodeSync' on Windows via schtasks, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS with RunAtLoad and StartInterval 43200. The dropped payload then re-executes every 12 hours independent of the original require, giving whoever published the package persistent code execution on the installer's machine. The 'solana-key-utils' name and 'test fixture' framing are cover for the smuggled executable payload.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / solana-key-utils

No fixed version published yet for solana-key-utils (npm). Pin to a known-safe version or switch to an alternative.

References