solana-pda-helper @1.0.46

Summary

On npm install, package.json's postinstall hook runs node -e to issue an https.get against rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link/npm/-/binary/telemetry — a Pinggy free-tier reverse-tunnel subdomain, which is the ephemeral attacker-callback host class, not legitimate telemetry infrastructure. The request is wrapped in try/catch to silently swallow errors, and even a failed request leaks installer IP, hostname resolution, and install timing to attacker infrastructure; the same hook is a standard staging point for follow-on payload delivery. The package compounds this with namespace-abuse signals: it advertises itself as 'Automatic PDA derivation for Anchor programs' but index.js is a 139-byte stub that only console.logs and shells out to solana --version , implementing none of the advertised functionality; the repository field points at github.com/solana/solana-pda-helper , impersonating the Solana org, which does not own this package; and keywords include 'ethereum' for a Solana-branded package. The combination of org-impersonation, hollow implementation, and install-time beacon to an ephemeral tunnel is a deliberate supply-chain attack lure rather than a misconfigured package.

Source: amazon-inspector (932b19a77a3ac634909a0f284df48d9b2a8b28f9c5370bd50306d7ba5a1335e9)