Package name @solana-labs/web3-js impersonates the legitimate @solana/web3.js and index.js simply re-exports the real package as cover. The postinstall hook in package.json runs node install.js, which executes a full attack chain on every install: (1) XOR-decodes a hardcoded Telegram bot token and chat id; (2) collect() reads installer secrets from ~/.ssh/id_rsa, ~/.aws/credentials, ~/.config/solana/id.json, ~/.solana/id.json, project and system .env files (/root/.env, /home/node/.env, /app/.env), and scrapes process.env for variables matching /KEY|SECRET|MNEMONIC|PRIVATE|TOKEN|AWS|NPM|GITHUB/i; (3) exfilNow() POSTs the harvested secrets in chunks to api.telegram.org/bot<token>/sendMessage; (4) writes /tmp/.cron-tmp and pipes it through crontab - to install an @reboot sleep 90 && node install.js persistence entry; (5) enters an infinite c2Loop() polling Telegram getUpdates and dispatching attacker-supplied /sh, /cmd, /keys, /ssh, /env, /wallet commands through execSync, giving the operator arbitrary remote code execution. An HMAC AUTH_SECRET and the bot credentials are XOR-obfuscated, with an in-source comment acknowledging anti-scanner intent.

The OpenSSF Package Analysis project identified '@solana-labs/web3-js' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

• The package communicates with a domain associated with malicious activity.

• The package executes one or more commands associated with malicious behavior.