MAL-2026-5786

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4d59b87155558b811b79a7d671f6dcd66bee47adff3a7022ab22d73f18d86369) Package name `@solana-labs/ancor` is a one-character typosquat of the legitimate `@coral-xyz/anchor` / `@project-serum/anchor` Solana framework, published under the `@solana-labs` scope to impersonate official Solana Labs tooling. `package.json` declares `"postinstall": "node install.js"`, which fires automatically on `npm install`. install.js reads host identifiers via `os.hostname()` and `process.platform`, invokes `child_process.execSync`, issues outbound HTTP/HTTPS traffic (including a `POST` at line 113 and a `curl` shell-out at line 173), and references `https://api.mainnet-beta.solana.com` as cover traffic. The combination of (a) impersonating-scope name targeting a top-tier ecosystem package, (b) a postinstall lifecycle hook executing a script that reads host identity and shells out to network primitives, and (c) execSync of arbitrary commands during install constitutes an install-time host reconnaissance / command-execution payload against any developer or build system that installs this package.