FlagThis

Multiple malicious npm packages have been discovered targeting Solana private keys, posing a significant threat to users of Solana wallets. These packages, including '@async-mutex/mutex', 'dexscreener', 'solana-transaction-toolkit', and 'solana-stable-web-huks', use techniques like typosquatting to appear legitimate while secretly stealing and exfiltrating private keys. The threat actors utilize similar code to intercept private keys during wallet interactions and then route the stolen data through Gmail's SMTP servers. This leverages Gmail’s trusted status to evade detection by security systems, making it more difficult for firewalls to identify the malicious activity.

The malicious packages not only steal private keys but also actively drain victims' wallets. Packages such as 'solana-transaction-toolkit' and 'solana-stable-web-huks' have been found to transfer up to 98% of funds from the user's wallet to attacker-controlled addresses. Additionally, the threat actors have created fake GitHub repositories designed to look like helpful Solana development tools in order to further spread the malicious code. Security researchers have urged users to be cautious when downloading packages, especially those with unusual names or low download counts. While these packages are active, efforts are underway to remove them and associated GitHub repositories.

ImgSrc: securityaffairs.com

References:

• gbhackers.com - Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail - 9d
• Security Affairs - Malicious npm and PyPI target Solana Private keys to steal funds from victims’ wallets - 9d
• The Hacker News - Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTP - 9d
• GBHackers Security | #1 Globally Trusted Cyber Security News Platform - Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail - 9d

Classification:

• HashTags: npm Solana SupplyChainAttack
• Target: Solana Users
• Product: npm
• Feature: Stealing private keys
• Type: Malware
• Severity: Major