MAL-2026-6509: Malicious code in @merceas/anchor (npm)
The @merceas/anchor npm package is a typosquatting impersonation of the legitimate @coral-xyz/anchor Solana Anchor SDK. It replaces the standard cross-fetch dependency with a malicious aliased package under the same scope, causing all HTTP requests made through the SDK to be routed through attacker-controlled code. This malicious behavior is embedded in the transitive dependency @merceas/cross-fetch, not directly in the main package tarball. Versions 0.32.1 and 0.32.3 of @merceas/anchor are affected.
AI Analysis
Technical Summary
The @merceas/anchor package is a malicious typosquat of the legitimate @coral-xyz/anchor SDK. Its package.json overrides the standard cross-fetch dependency with an npm alias pointing to a malicious fork under the @merceas scope. This causes all HTTP calls made through the SDK, including internal registry queries and any consumer fetches, to be routed through attacker-controlled code in the transitive dependency @merceas/cross-fetch. The attack vector is the forced installation of this malicious transitive package, enabling potential interception or manipulation of network requests made by the SDK.
Potential Impact
Users installing @merceas/anchor versions 0.32.1 and 0.32.3 unknowingly pull in a malicious transitive dependency that intercepts all HTTP requests made through the SDK. This can lead to data interception, manipulation, or other malicious activities controlled by the attacker. The malicious code is not in the main package tarball but in the aliased cross-fetch dependency, making detection harder.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing or using the @merceas/anchor package, especially versions 0.32.1 and 0.32.3. Instead, use the legitimate @coral-xyz/anchor package from the official source. Monitor vendor advisories for updates or official fixes. Since this is a typosquatting attack, verifying package authenticity before installation is critical.
MAL-2026-6509: Malicious code in @merceas/anchor (npm)
Description
The @merceas/anchor npm package is a typosquatting impersonation of the legitimate @coral-xyz/anchor Solana Anchor SDK. It replaces the standard cross-fetch dependency with a malicious aliased package under the same scope, causing all HTTP requests made through the SDK to be routed through attacker-controlled code. This malicious behavior is embedded in the transitive dependency @merceas/cross-fetch, not directly in the main package tarball. Versions 0.32.1 and 0.32.3 of @merceas/anchor are affected.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The @merceas/anchor package is a malicious typosquat of the legitimate @coral-xyz/anchor SDK. Its package.json overrides the standard cross-fetch dependency with an npm alias pointing to a malicious fork under the @merceas scope. This causes all HTTP calls made through the SDK, including internal registry queries and any consumer fetches, to be routed through attacker-controlled code in the transitive dependency @merceas/cross-fetch. The attack vector is the forced installation of this malicious transitive package, enabling potential interception or manipulation of network requests made by the SDK.
Potential Impact
Users installing @merceas/anchor versions 0.32.1 and 0.32.3 unknowingly pull in a malicious transitive dependency that intercepts all HTTP requests made through the SDK. This can lead to data interception, manipulation, or other malicious activities controlled by the attacker. The malicious code is not in the main package tarball but in the aliased cross-fetch dependency, making detection harder.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing or using the @merceas/anchor package, especially versions 0.32.1 and 0.32.3. Instead, use the legitimate @coral-xyz/anchor package from the official source. Monitor vendor advisories for updates or official fixes. Since this is a typosquatting attack, verifying package authenticity before installation is critical.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6509
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7bb27e9c79719ffc73f
Added to database: 06/26/2026, 22:05:47 UTC
Last enriched: 06/26/2026, 22:32:57 UTC
Last updated: 06/26/2026, 22:32:57 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.