—

MAL-2026-5861

Malicious code in solana-mev-bot (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e65516d3e042858742ebfee878ff2de6361994ce0155dcbf53c8e0f24cd5fafb) bot.js performs a hardcoded HTTPS GET to api.telegram.org's bot sendMessage endpoint, transmitting host fingerprint data collected via os.hostname(), os.userInfo(), and process.platform. The file also imports child_process and reads from the filesystem (fs.existsSync / fs.readFileSync) alongside the network exfiltration primitive. The destination is an attacker-operated Telegram bot, used as an exfiltration channel to siphon installer host identity and likely credential/wallet material from disk. The package name impersonates a Solana MEV trading utility to lure crypto users into running it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / solana-mev-bot

No fixed version published yet for solana-mev-bot (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/solana-mev-bot/v/1.0.0 [PACKAGE]