Malicious npm Packages Target Solana Wallets via Gmail SMTP
According to security researcher, Kirill Boychenko, the malicious packages are capable of automatically transferring up to 98% of a wallet’s funds to an attacker-controlled Solana address.
Cybersecurity researchers have uncovered a series of malicious npm packages designed to target Solana wallet holders, stealing private keys through Gmail’s Simple Mail Transfer Protocol (SMTP). The packages, discovered by supply chain security company Socket, pose a significant threat to developers and users of Solana-related tools, as they exfiltrate sensitive data and drain wallet funds.
Among the identified packages are Solana-transaction-toolkit and Solana-stable-web-huks, both of which camouflage as legitimate tools for Solana blockchain interaction. Instead of offering the promised functionalities, these packages steal private keys and transmit them to attackers via Gmail’s SMTP servers.
The use of Gmail is particularly insidious, as security systems often regard email traffic to smtp.gmail.com as legitimate by security systems, making firewalls and endpoint detection systems almost useless.
According to security researcher, Kirill Boychenko, the malicious packages are capable of automatically transferring up to 98% of a wallet’s funds to an attacker-controlled Solana address. The malicious behavior is hidden behind seemingly innocuous npm packages, which are often used by developers seeking to integrate Solana-specific tools.
Attackers Use GitHub to Spread Malicious Solana Code
Further investigation revealed that the threat actors also maintained GitHub repositories, including moonshot-wifhan and Diveinprogramming, which hosted tools purportedly for Solana development.
However, these repositories secretly imported the harmful npm packages, highlighting the huge scope of the attacker’s strategy to reach unsuspecting developers through trusted platforms like GitHub.
Kill Switch Functionality in Typosquatted Packages
In addition to the key-stealing functionalities, some of the malicious packages incorporate a kill switch mechanism. For example, the counterfeit csbchalk-next package, a typosquat of the trending chalk library, can delete files from project-specific server responses. This kill switch, coupled with the data exfiltration, significantly increases the potential damage to affected systems.
The malicious nmp packages targeting Solana wallets highlight the rapidly growing risks in the open-source ecosystem. Remaining vigilant is essential. The need for developers to take proactive measures to ensure the security of their codebases and sensitive data keeps pressing hard.
As the investigation continues, experts urge developers to carefully verify the authenticity of dependencies and to monitor their systems for signs of suspicious activity.
