Socket’s threat research team has uncovered a concerning campaign involving malicious npm packages designed to exfiltrate Solana private keys via Gmail. The packages – @async-mutex/mutex, dexscreener, solana-transaction-toolkit, and solana-stable-web-huks – exploit typosquatting to deceive developers into downloading them. These malicious tools masquerade as legitimate libraries but instead steal sensitive data and, in some cases, drain victims’ wallets.
Two distinct threat actors are behind this campaign, sharing overlapping tactics, techniques, and procedures (TTPs). The malicious packages intercept private keys during wallet interactions, using Gmail’s trusted SMTP servers for data exfiltration. As the report highlights, “Because Gmail is a trusted email service, these exfiltration attempts are less likely to be flagged by firewalls or endpoint detection systems.” Malicious scripts use Gmail’s SMTP services for exfiltration.
Malicious Packages and Their Functions
- @async-mutex/mutex:
- A typosquat of the legitimate async-mutex library, which provides mutual exclusion for asynchronous operations.
- Downloaded 240 times compared to the original’s millions, this package embeds scripts to steal Solana private keys and relay them via Gmail.
- Socket warns, “AI-generated package summaries in search results can land developers and users in hot water and may inadvertently lend credibility and legitimacy to malicious software.”
- dexscreener:
- Purports to provide tools for interacting with decentralized exchanges (DEXs) but exhibits identical malicious behavior as @async-mutex/mutex.
- solana-transaction-toolkit and solana-stable-web-huks:
- Go beyond exfiltrating private keys, programmatically draining up to 98% of wallet balances to attacker-controlled addresses. The report details, “The remaining 2% is likely left behind to reduce suspicion or prevent transaction failures due to fees.”
Threat actors use GitHub repositories under aliases like “moonshot-wif-hwan” and “Diveinprogramming” to distribute malware. These repositories mimic legitimate Solana tools but import malicious npm packages. For instance, the “pumpfun-bump-script-bot” repository promotes itself as a trading bot for Raydium but imports solana-stable-web-huks to steal private keys.
The malicious npm packages targeting Solana wallets highlight the risks developers face when integrating third-party dependencies. As Socket’s report emphasizes, “Regularly auditing dependencies ensures no unexpected or malicious packages slip into your codebase.”