RUSTSEC-2026-0146 `InterfaceAccount` allows account substitution between unexpected types

Affected versions of anchor-lang allowed InterfaceAccount to accept accounts with an unexpected Anchor discriminator. A change to InterfaceAccount caused checked deserialization to be bypassed for this account wrapper, so validation proved only that the account owner matched one of the accepted...

`InterfaceAccount` allows account substitution between unexpected types

Affected versions of anchor-lang allowed InterfaceAccount to accept accounts with an unexpected Anchor discriminator. A change to InterfaceAccount caused checked deserialization to be bypassed for this account wrapper, so validation proved only that the account owner matched one of the accepted...

RUSTSEC-2026-0144 `Program<System>` accepts arbitrary executable programs

Affected versions of anchor-lang did not properly validate accounts declared as Program. The generic Program validation path used Pubkey::default as a sentinel to decide whether any executable program should be accepted. Since the system program id is also the default pubkey, Program was treated...

Malicious code in anchor-lang (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ead75f6f1a06885c859de3db6135c335ed8dfe9a9f6b95aa938723e6cf38c80a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...