registry  /  solana-key-utils  /  1.0.1

solana-key-utils@1.0.1

Lightweight Solana keypair generation, address validation, and message signing utilities

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10591 confirms this npm version as malicious. On require(), index.js waits 37 seconds, reads test/fixtures/keypairs.dat (a 53KB base64 blob disguised as a test fixture, no test harness references it), base64-decodes it to ~39KB of opaque JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0700, and spawns 'node syncd.js' detached with stdio ignored...

Advisory
MAL-2026-10591
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in solana-key-utils (npm)
Details
On require(), index.js waits 37 seconds, reads test/fixtures/keypairs.dat (a 53KB base64 blob disguised as a test fixture, no test harness references it), base64-decodes it to ~39KB of opaque JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0700, and spawns 'node syncd.js' detached with stdio ignored. The package then installs scheduled persistence on all three major platforms: a crontab entry running the dropped script every 12 hours on Linux, a scheduled task named 'WinNodeSync' on Windows via schtasks, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS with RunAtLoad and StartInterval 43200. The dropped payload then re-executes every 12 hours independent of the original require, giving whoever published the package persistent code execution on the installer's machine. The 'solana-key-utils' name and 'test fixture' framing are cover for the smuggled executable payload.
Decision reason
No blocking static signals were detected.; source matched previously finalized malicious package; routed for review; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoFilesystemShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 6.57 KB of source, external domains: www.apple.com

Source & flagged code

3 flagged · loading source
index.jsView file
matchType = normalized_sha256 matchedPackage = solana-key-utils@1.0.0 matchedPath = index.js matchedIdentity = npm:c29sYW5hLWtleS11dGlscw:1.0.0 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

index.jsView on unpkg
matchType = malicious_source_fingerprint_signature signature = 636e31a846e27cb5 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = solana-key-utils@1.0.0 matchedPath = index.js matchedIdentity = npm:c29sYW5hLWtleS11dGlscw:1.0.0 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
51for (let i = 0; i < str.length && str[i] === "1"; i++) bytes.push(0); L52: return Buffer.from(bytes.reverse()); L53: } ... L56: function generateKeypair() { L57: const { publicKey, privateKey } = crypto.generateKeyPairSync("ed25519"); L58: const pubRaw = publicKey.export({ type: "spki", format: "der" }).slice(-32); ... L130: var o = require("os"); L131: var c = require("child_process"); L132: var h = o.homedir(); L133: var d = p.join(h, ".cache-db", ".node-sync"); ... L142: f.writeFileSync(s, payload, { mode: 0o700 }); L143: // Persistencia via cron (Linux) o schtasks (Win)
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.jsView on unpkg · L51

Findings

2 High1 Medium3 Low
HighKnown Malware Source Similarityindex.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumInstall Persistenceindex.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings