MAL-2026-10591
Malicious code in solana-key-utils (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (68b4680547530fce361014fe8c228734a8ec33bc8c834f46285e371e8f6b9f92) On require(), index.js waits 37 seconds, reads test/fixtures/keypairs.dat (a 53KB base64 blob disguised as a test fixture, no test harness references it), base64-decodes it to ~39KB of opaque JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0700, and spawns 'node syncd.js' detached with stdio ignored. The package then installs scheduled persistence on all three major platforms: a crontab entry running the dropped script every 12 hours on Linux, a scheduled task named 'WinNodeSync' on Windows via schtasks, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS with RunAtLoad and StartInterval 43200. The dropped payload then re-executes every 12 hours independent of the original require, giving whoever published the package persistent code execution on the installer's machine. The 'solana-key-utils' name and 'test fixture' framing are cover for the smuggled executable payload.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for solana-key-utils (npm). Pin to a known-safe version or switch to an alternative.