solana-key-utils @1.0.3
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10591
Ecosystem
npm
Summary
On require(), index.js waits 37 seconds, reads test/fixtures/keypairs.dat (a 53KB base64 blob disguised as a test fixture, no test harness references it), base64-decodes it to ~39KB of opaque JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0700, and spawns 'node syncd.js' detached with stdio ignored. The package then installs scheduled persistence on all three major platforms: a crontab entry running the dropped script every 12 hours on Linux, a scheduled task named 'WinNodeSync' on Windows via schtasks, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS with RunAtLoad and StartInterval 43200. The dropped payload then re-executes every 12 hours independent of the original require, giving whoever published the package persistent code execution on the installer's machine. The 'solana-key-utils' name and 'test fixture' framing are cover for the smuggled executable payload.
Source: amazon-inspector (68b4680547530fce361014fe8c228734a8ec33bc8c834f46285e371e8f6b9f92)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.