OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10591 confirms this npm version as malicious. On require(), index.js waits 37 seconds, reads test/fixtures/keypairs.dat (a 53KB base64 blob disguised as a test fixture, no test harness references it), base64-decodes it to ~39KB of opaque JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0700, and spawns 'node syncd.js' detached with stdio ignored...
Advisory
MAL-2026-10591
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in solana-key-utils (npm)
Details
On require(), index.js waits 37 seconds, reads test/fixtures/keypairs.dat (a 53KB base64 blob disguised as a test fixture, no test harness references it), base64-decodes it to ~39KB of opaque JavaScript, writes the result to ~/.cache-db/.node-sync/syncd.js with mode 0700, and spawns 'node syncd.js' detached with stdio ignored. The package then installs scheduled persistence on all three major platforms: a crontab entry running the dropped script every 12 hours on Linux, a scheduled task named 'WinNodeSync' on Windows via schtasks, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS with RunAtLoad and StartInterval 43200. The dropped payload then re-executes every 12 hours independent of the original require, giving whoever published the package persistent code execution on the installer's machine. The 'solana-key-utils' name and 'test fixture' framing are cover for the smuggled executable payload.
Decision reason
OpenSSF Malicious Packages via OSV confirms solana-key-utils@1.0.3 as malicious (MAL-2026-10591): Malicious code in solana-key-utils (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory