@merceas/anchor @0.32.3

Summary

Package is published as @merceas/anchor but its README, homepage (https://github.com/coral-xyz/anchor#readme), repository, and source are a verbatim copy of @coral-xyz/anchor — a typosquat/impersonation of the legitimate Solana Anchor SDK. The package.json overrides the standard cross-fetch dependency with an npm alias to a fork under the same scope: "cross-fetch": "npm:@merceas/cross-fetch@3.1.9" . Installing this package silently pulls @merceas/cross-fetch into the dependency tree, routing every HTTP call made through the SDK (including dist/cjs/utils/registry.js's https://api.apr.dev/api/v0/program/<id>/latest?limit=<n> call, and any fetches consumers make via the SDK's transport) through code controlled by the same actor that published this typosquat. The cross-fetch substitution is the attack mechanism: the malicious payload is in the transitive package the installer is forced to pull, not in this tarball.

Source: amazon-inspector (86a51319de26245ad91c68a6a6d0713454112443e55f466711e79eb1a23a45b8)