Which versions of solana-js-client are malicious?

The following npm versions of solana-js-client are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate solana-js-client if I installed it?

Remove solana-js-client from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is solana-js-client part of a known attack campaign?

Yes — solana-js-client is associated with the IN-MAL-2026-006745 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect solana-js-client in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking solana-js-client and packages like it before any post-install script runs.

Malicious package

solana-js-clientnpm

Malicious code in solana-js-client (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5860

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall solana-js-client

What this malware does

Package masquerades as a 'Drop-in replacement for @solana/web3.js' and lists its author as 'Solana Labs Maintainers [email protected]' to impersonate the legitimate Solana Labs publisher. The published bundles lib/index.cjs.js and lib/index.esm.js contain an injected payload at the tail of the file with no counterpart in src/. The payload requires child_process, shells out via curl/ping, and references a hardcoded plain-HTTP endpoint http://104.239.66.223:8899 (port 8899 is the Solana JSON-RPC port) along with Telegram Bot API sendMessage URLs carrying a chat_id controlled by the attacker. Because the package's primary API is the Connection class, any consumer wallet or dApp that imports this drop-in replacement can have its outbound RPC traffic, signed transactions, or seed material silently rerouted to the attacker-owned RPC and exfiltrated to the attacker's Telegram bot. Indicators: rogue RPC at 104.239.66.223:8899; exfiltration channel via api.telegram.org/bot<redacted>/sendMessage.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

855cf386497f33e21db48ae8b87c769fd777f52b585f3d8d5f276fd4c9d42628

Frequently asked questions

No. solana-js-client on npm has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006745

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection