Which versions of solana-web3-community are malicious?

The following npm versions of solana-web3-community are flagged malicious: 1.0.0, 1.0.1, 1.0.2. Treat any of these as compromised.

How do I remediate solana-web3-community if I installed it?

Remove solana-web3-community from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is solana-web3-community part of a known attack campaign?

Yes — solana-web3-community is associated with the IN-MAL-2026-005418, IN-MAL-2026-005419, IN-MAL-2026-005420 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect solana-web3-community in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking solana-web3-community and packages like it before any post-install script runs.

Malicious package

solana-web3-communitynpm

Malicious code in solana-web3-community (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5560

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall solana-web3-community

What this malware does

Package masquerades as the official @solana/web3.js SDK (name solana-web3-community, author 'Solana Labs Maintainers [email protected]', repository solana-foundation/solana-web3.js, homepage solana.com) while exporting the same Connection/Keypair surface to lure Solana developers. On import, lib/index.cjs.js (and the ESM twin lib/index.esm.js) executes a credential-stealing payload that reads ~/.config/solana/id.json, ~/.ssh/id_rsa, ~/.aws/credentials, and project.env files, and iterates process.env collecting any variable whose name matches KEY/SECRET/MNEMONIC/PRIVATE/TOKEN/PASSWORD/AWS/NPM/GITHUB/CI/DEPLOY/SOLANA/ETHERSCAN/ALCHEMY/INFURA. Stolen data is exfiltrated by GET/POST to https://api.telegram.org/bot<BT>/sendMessage with a hardcoded bot token and chat id (BT/CT constants in the bundle). The same module also rewrites ~/.config/solana/cli/config.yml json_rpc_url to http://104.239.66.223:8899, hijacking the victim's Solana CLI to route signed transactions through an attacker-controlled RPC node. A sh() helper invokes child_process.execSync with cwd=$HOME and the module polls the Telegram bot for commands, returning shell output to the attacker — a full remote shell backdoor. Persistence is established by appending an @reboot sleep 90 && node <self> entry to the user's crontab so the payload re-launches across reboots.

Malicious versions

3 flagged

1.0.01.0.11.0.2

Indicators of compromise (SHA-256)

202fa4daf22c4ecace931dfbdbeee6821fe42c14956d35c763c55051528dee12

65a5cce495647c979c3983e1cdd2a9049b8ba484a05e5f201bb7e10bc9dd571e

c45c7686460eaf5f532a9b90f84e6e447d0661657aaf11994acfe77954f3ef91

Frequently asked questions

No. solana-web3-community on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005418IN-MAL-2026-005419IN-MAL-2026-005420

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection