MAL-2026-5338

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (af1a2f1a7c7e3bddb9c8d2fcb8a4c86a6755763c94b95b1eddb81f382318c432) Malicious typosquat impersonating the legitimate Solana Python SDK (solana / solana-py) and the JS @solana/web3.js. The package ships no SDK functionality; the only behavior is credential theft. On import, __init__.py reads installer secrets including ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.config/solana/id.json, ~/.solana/id.json, and.env files at./,../, /app/, /root/, and scrapes environment variables matching KEY/SECRET/MNEMONIC/PRIVATE/TOKEN/PASSWORD/AWS/NPM/GITHUB/SOLANA. The collected payload is POSTed to a hardcoded Telegram bot (api.telegram.org sendMessage with bot token 8870595195:... and chat_id 8346336575). On non-Windows hosts, _persist() writes /tmp/.psync containing a `@reboot sleep 90 && python3 <init>` cron line and registers it via `crontab -`, ensuring the credential dropper re-runs on every reboot even after the package is uninstalled. The Solana wallet key path (~/.config/solana/id.json) is explicitly targeted, confirming a wallet-theft motive.

## Source: kam193 (6945b0bfcf3be9438852411527a75d1275367ca7a34ea4a28793e6e0c6258ccb) During import, the package exfiltrates sensitive data (credentials, SSH keys, cryptowallet's data). It also establishes persistence via a cronjob.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-spl-token-py

Reasons (based on the campaign):

- crypto-related

- typosquatting

- exfiltration-ssh-keys

- exfiltration-credentials

- exfiltration-crypto

- exfiltration-env-variables

- persistence

- uses-telegram-bot

- The package contains code to detect if it is running in a sandbox environment.