—

MAL-2026-6509

Malicious code in @merceas/anchor (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (86a51319de26245ad91c68a6a6d0713454112443e55f466711e79eb1a23a45b8) Package is published as @merceas/anchor but its README, homepage (https://github.com/coral-xyz/anchor#readme), repository, and source are a verbatim copy of @coral-xyz/anchor — a typosquat/impersonation of the legitimate Solana Anchor SDK. The package.json overrides the standard `cross-fetch` dependency with an npm alias to a fork under the same scope: `"cross-fetch": "npm:@merceas/cross-fetch@3.1.9"`. Installing this package silently pulls @merceas/cross-fetch into the dependency tree, routing every HTTP call made through the SDK (including dist/cjs/utils/registry.js's `https://api.apr.dev/api/v0/program/<id>/latest?limit=<n>` call, and any fetches consumers make via the SDK's transport) through code controlled by the same actor that published this typosquat. The cross-fetch substitution is the attack mechanism: the malicious payload is in the transitive package the installer is forced to pull, not in this tarball.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @merceas/anchor

No fixed version published yet for @merceas/anchor (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/@merceas/anchor/v/0.32.1 [PACKAGE]
https://www.npmjs.com/package/@merceas/anchor/v/0.32.3 [PACKAGE]