@solana-labs/etherjs @1.98.112

Summary

Package is published as @solana-labs/etherjs but its README documents itself as @solana-labs/web3.js and instructs consumers to import { Connection, PublicKey, Keypair } from '@solana-labs/web3.js' — the legitimate Solana SDK is @solana/web3.js (no -labs ). Developers who copy the README install line land on this package instead. The Node CommonJS and ESM bundles ( lib/index.cjs.js , lib/index.esm.js ) are a fork of solana-web3.js with an injected payload that, on require() / import , reads process.env (lines 11365-11366, 11448, 11453, 11542, 11547 in the CJS bundle) and POSTs the harvested data to a hardcoded bare IP http://104.239.66.223:8899 (line 11384) and to https://api.telegram.org/bot.../sendMessage with a fixed chat_id (lines 11415-11417). The same blocks repeatedly require('child_process') (lines 11441, 11466, 11479, 11495, 11535) and invoke curl , enabling attacker-influenced shell execution on the installer host. The browser/native bundles omit the payload, confirming it is gated to Node consumers. Both attacker destinations are hardcoded with no opt-out.

Source: amazon-inspector (5c086a8d2c3022bc55743fdca944c8810b997ec203e8742606bf14cccee721db)