Package masquerades as a 'Drop-in replacement for @solana/web3.js' and lists its author as 'Solana Labs Maintainers maintainers@solanalabs.com' to impersonate the legitimate Solana Labs publisher. The published bundles lib/index.cjs.js and lib/index.esm.js contain an injected payload at the tail of the file with no counterpart in src/. The payload requires child_process, shells out via curl/ping, and references a hardcoded plain-HTTP endpoint http://104.239.66.223:8899 (port 8899 is the Solana JSON-RPC port) along with Telegram Bot API sendMessage URLs carrying a chat_id controlled by the attacker. Because the package's primary API is the Connection class, any consumer wallet or dApp that imports this drop-in replacement can have its outbound RPC traffic, signed transactions, or seed material silently rerouted to the attacker-owned RPC and exfiltrated to the attacker's Telegram bot. Indicators: rogue RPC at 104.239.66.223:8899; exfiltration channel via api.telegram.org/bot/sendMessage.