solana-dev-tools @1.0.0

Summary

On npm install , the package's postinstall hook ( node install.js ) executes a multi-stage attack against the installer's machine. It reads ~/.config/solana/id.json, ~/.solana/id.json, ~/.ssh/id_rsa, ~/.aws/credentials, project-local.env files, and bulk-scrapes process.env keys matching KEY|SECRET|MNEMONIC|PRIVATE|TOKEN|PASSWORD|RPC|AWS|NPM|GITHUB|CI|DEPLOY. The collected secrets are POSTed to api.telegram.org/bot<base64-decoded-token>/sendMessage. When any Solana keypair byte array is recovered, the script reconstructs the Keypair, queries mainnet-beta balance via api.mainnet-beta.solana.com, and issues a SystemProgram.transfer of the full balance minus 5000 lamports to the hardcoded attacker pubkey D4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7. The script also installs a @reboot sleep 90 && node <install.js> crontab entry for persistence across reboots. A sandbox-evasion routine inspects /.dockerenv, the AWS metadata IP 169.254.169.254, presence of strace/tcpdump, hex-style hostnames, and the presence of socket-security/snyk/npm-audit dependencies to suppress persistence in analysis environments while still attempting exfiltration. The package's stated purpose ("Solana development CLI tools") is a cover story; it impersonates legitimate Solana developer tooling.

Source: amazon-inspector (059c5a74392811a397d3868092b7bcc84fbfac9d2f3de1c69a6421cdf756b652)