@solana-labs/web3.jsnpm

Package @solana-labs/web3.js impersonates the legitimate @solana/web3.js and re-exports it as cover while running a malicious postinstall (node install.js). On npm install, install.js performs sandbox-evasion checks (hostname pattern scoring for Docker/AWS/CI runners, /proc/uptime, presence of strace/tcpdump/auditd, AWS metadata 169.254.169.254, security-tooling dependencies) and aborts if it detects analysis. Otherwise it enumerates installer secrets — ~/.ssh/id_rsa, ~/.aws/credentials, ~/.config/solana/id.json, .env files, and scrapes process.env for KEY/SECRET/MNEMONIC/NPM/GITHUB tokens — and harvests crypto material including ETH private keys (/0x[a-fA-F0-9]{64}/), Solana 64-byte arrays, and AWS keys. Stolen data is tagged [ETH]/[SOLANA]/[AWS]/[SSH]/[NPM]/[GITHUB] and exfiltrated to api.telegram.org/bot<token>/... using XOR-obfuscated bot token, chat ID, and HMAC auth secret embedded in install.js. install.js then enters a long-poll loop against Telegram getUpdates accepting commands /keys, /ssh, /env, /wallet, /sh <cmd>, and bare text, executing them via execSync (PowerShell on Windows) and returning output to the attacker — a full reverse-shell C2 backdoor. Persistence is established via a @reboot sleep 90 && node <path> crontab entry. A hardcoded Solana drain address D4hGgKKaBFZV1NUTWvYRwbpu8HHr3qmDfHyKCTLqbaE7 is present for wallet theft.