Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTP

🔍 Overview of Malicious npm Packages Attack

Cybersecurity researchers have uncovered a new wave of malicious activity targeting developers and users in the cryptocurrency ecosystem. This campaign uses compromised npm and Python Package Index (PyPI) repositories to deliver malicious packages aimed at stealing sensitive information, including Solana wallet keys. These packages, disguised as legitimate libraries, exploit supply chain vulnerabilities to infiltrate victims' systems.

🛑 List of Malicious Packages

The identified malicious packages include:

• @async-mutex/mutex (a typosquat of async-mute)
• dexscreener (masquerades as a library for accessing liquidity pool data from decentralized exchanges)
• solana-transaction-toolkit
• solana-stable-web-huks
• cschokidar-next (a typosquat of chokidar)
• achokidar-next (a typosquat of chokidar)
• achalk-next (a typosquat of chalk)
• csbchalk-next (a typosquat of chalk)
• cschalk (a typosquat of chalk)
• pycord-self (a typosquat of discord.py-self)

These packages pose significant threats by exfiltrating sensitive data, enabling attackers to delete files, and maintaining backdoor access to infected systems.

⚠️ Threat to Solana Wallets

• The first four packages are particularly dangerous for Solana wallet users, as they are designed to:
• 🔑 Intercept Private Keys: Extract private keys from victims' systems.
• 📤 Exfiltrate Data via Gmail SMTP: Leverage Gmail’s trusted email infrastructure to bypass detection mechanisms like firewalls and endpoint security systems.
• 💸 Drain Wallet Funds: Automatically transfer up to 98% of wallet contents to attacker-controlled Solana addresses, masquerading as legitimate tools offering Solana-specific functionality.

Gmail’s trusted status allows attackers to avoid detection, making these exfiltration attempts highly effective.

🌐 Broader Campaign Using GitHub Repositories

The attackers also extended their reach by hosting fake Solana development tools on GitHub. Two repositories—"moonshot-wif-hwan" and "Diveinprogramming"—claimed to provide useful tools for Solana developers. Instead, they included scripts that imported malicious npm packages. For example, the "moonshot-wif-hwan/pumpfun-bump-script-bot" script, advertised as a bot for automating trading on Raydium (a Solana-based decentralized exchange), was instead engineered to execute malicious code.

🛠️ Advanced Destructive Capabilities

Beyond data theft, a second set of npm packages introduced a kill switch function that:

• 🚨 Deletes Files Recursively: Wipes project-specific directories once triggered.
• 📦 Exfiltrates Environment Variables: Sends sensitive data to remote servers for further exploitation.

The counterfeit csbchalk-next package operates similarly but activates the kill switch only after receiving a "202" code from a remote server, adding another layer of stealth.

🐍 PyPI Packages Targeting Python Developers

The malicious PyPI package pycord-self targeted Python developers integrating Discord APIs. Once installed, it:

• 🔓 Captured Discord Authentication Tokens: Compromising user accounts.
• 📤 Exfiltrated Environment Variables: To gain additional system information.
• 💻 Maintained Backdoor Access: Persistent across Windows and Linux systems, enabling ongoing exploitation.

🕵️ Broader Implications

This campaign highlights the increasing prevalence of supply chain attacks exploiting trusted platforms like npm and PyPI. Attackers use typosquatting creating similarly named packages to trick users into downloading malicious libraries. A notable example is the targeting of Roblox players with bogus PyPI packages delivering malware such as Skuld and Blank-Grabber. In 2024, Imperva also uncovered PyPI packages aimed at stealing data from Roblox users searching for game cheats and mods.

🛡️ Mitigation Steps

To defend against such supply chain attacks, developers and users should:

• 🔍 Verify Package Authenticity: Check publisher details, reviews, and download counts before installation.
• 🛡️ Monitor Unusual Activity: Stay alert for unexpected email traffic or unauthorized file deletions.
• 📦 Use Sandbox Environments: Test third-party packages in isolated environments before deployment.
• 🖥️ Implement Endpoint Security: Deploy robust tools to detect and block unusual network traffic or file activities.

💡 Final Thoughts

This campaign underscores the importance of vigilance in the open-source community. With attackers leveraging trusted platforms like Gmail SMTP to bypass security measures, the stakes are higher than ever. Developers, particularly in the cryptocurrency and blockchain sectors, must remain cautious and take proactive steps to protect their projects and systems. By fostering a culture of security-first development and raising awareness, the community can significantly reduce the success rate of such malicious campaigns.