MAL-2026-5788

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b79f799d106eaad2a09af8eac8b3ac64a46966e392ec423461facd26dc958705) This package impersonates the legitimate @solana/web3.js library under a confusable scope (@solana-labs/web3js). On `npm install`, the postinstall hook executes install.js, which loads `os`, `child_process`, `fs`, and `https`, collects host identifiers via `os.hostname()` and `os.userInfo()` along with `process.platform`, probes filesystem paths via `fs.existsSync(...)`, and issues HTTPS POST requests carrying the harvested information. install.js also invokes `execSync('powershell...')` and `execSync('curl...')` to run shell commands fetched/triggered at install time. A reference to `http://www.apple.com` appears alongside the exfiltration code, consistent with connectivity-check or decoy behavior. The combination of name-squat against a widely used Solana library, automatic execution at install via postinstall, host enumeration, and shell execution constitutes an installer-targeted supply-chain attack.