Which versions of @solana-labs/web3js are malicious?

The following npm versions of @solana-labs/web3js are flagged malicious: 1.0.0, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.10. Treat any of these as compromised.

How do I remediate @solana-labs/web3js if I installed it?

Remove @solana-labs/web3js from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Can O3 Security detect @solana-labs/web3js in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking @solana-labs/web3js and packages like it before any post-install script runs.

Malicious package

@solana-labs/web3jsnpm

Malicious code in @solana-labs/web3js (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5788

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall @solana-labs/web3js

What this malware does

This package impersonates the legitimate @solana/web3.js library under a confusable scope (@solana-labs/web3js). On npm install, the postinstall hook executes install.js, which loads os, child_process, fs, and https, collects host identifiers via os.hostname() and os.userInfo() along with process.platform, probes filesystem paths via fs.existsSync(...), and issues HTTPS POST requests carrying the harvested information. install.js also invokes execSync('powershell...') and execSync('curl...') to run shell commands fetched/triggered at install time. A reference to http://www.apple.com appears alongside the exfiltration code, consistent with connectivity-check or decoy behavior. The combination of name-squat against a widely used Solana library, automatic execution at install via postinstall, host enumeration, and shell execution constitutes an installer-targeted supply-chain attack.

Malicious versions

6 flagged

1.0.01.0.51.0.61.0.71.0.81.0.10

Indicators of compromise (SHA-256)

154c1945271241882ae87bc62a23737410f47d3c4d5bba00512af9d5a56efe5b

f5a3f5b21565aec159a2ed4715dd9616dbd9d8dcd43b08bb910193ee588da447

fb19c365b2473db2041cdda820b816e8d425e9769e496677b23b8cdeb05872d0

2fc0c80b84dcef600acb67cb8160f0ab52a49ba8df7d4e580466124435d09bbf

41785a71dc9811b8238c1766d0cbd16f34bfad11aa726fbfe2a3db4649246782

9916e7d1a9cf016186b532c3bb0a64848fe7a14da68984d9500a1fdb859bd972

2c46f3a816002f536ea6d4f674c13988a2da8febe492682f65ec57720df1bc97

36ca261f1c644617beb33a34e2530f5d4d8ded155cc385c65a5ac3dab7fd1123

3b60338ab17ff69f9602cd9bf37ca9c25b1335c777bafbd3d4e2f2842d2e05a4

a3eef5d02e2a799b24f5bc84c6fa4e57bc922a7182ba07145dc07c2ac5199238

b79f799d106eaad2a09af8eac8b3ac64a46966e392ec423461facd26dc958705

e83ed61e8324ee03cada69746e85f8e90b42e95ea300fc73e5b47a7e6c214d51

Frequently asked questions

No. @solana-labs/web3js on npm has been identified as a malicious package (versions 1.0.0, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.10 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006571IN-MAL-2026-006566IN-MAL-2026-006572IN-MAL-2026-006562IN-MAL-2026-006570IN-MAL-2026-006563IN-MAL-2026-006568IN-MAL-2026-006565IN-MAL-2026-006567IN-MAL-2026-006561IN-MAL-2026-006569IN-MAL-2026-006564

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection