Malicious npm Packages Target Solana Developers, Stealing Private Keys via Gmail

Socket’s threat research team has uncovered a concerning campaign involving malicious npm packages designed to exfiltrate Solana private keys via Gmail. The packages – @async-mutex/mutex, dexscreener, solana-transaction-toolkit, and solana-stable-web-huks – exploit typosquatting to deceive developers into downloading them. These malicious tools masquerade as legitimate libraries but instead steal sensitive data and, in some cases, drain victims’ wallets.

Two distinct threat actors are behind this campaign, sharing overlapping tactics, techniques, and procedures (TTPs). The malicious packages intercept private keys during wallet interactions, using Gmail’s trusted SMTP servers for data exfiltration. As the report highlights, “Because Gmail is a trusted email service, these exfiltration attempts are less likely to be flagged by firewalls or endpoint detection systems.” Malicious scripts use Gmail’s SMTP services for exfiltration.

Malicious Packages and Their Functions

1. @async-mutex/mutex:
   • A typosquat of the legitimate async-mutex library, which provides mutual exclusion for asynchronous operations.
   • Downloaded 240 times compared to the original’s millions, this package embeds scripts to steal Solana private keys and relay them via Gmail.
   • Socket warns, “AI-generated package summaries in search results can land developers and users in hot water and may inadvertently lend credibility and legitimacy to malicious software.”
2. dexscreener:
   • Purports to provide tools for interacting with decentralized exchanges (DEXs) but exhibits identical malicious behavior as @async-mutex/mutex.
3. solana-transaction-toolkit and solana-stable-web-huks:
   • Go beyond exfiltrating private keys, programmatically draining up to 98% of wallet balances to attacker-controlled addresses. The report details, “The remaining 2% is likely left behind to reduce suspicion or prevent transaction failures due to fees.”

Threat actors use GitHub repositories under aliases like “moonshot-wif-hwan” and “Diveinprogramming” to distribute malware. These repositories mimic legitimate Solana tools but import malicious npm packages. For instance, the “pumpfun-bump-script-bot” repository promotes itself as a trading bot for Raydium but imports solana-stable-web-huks to steal private keys.

The malicious npm packages targeting Solana wallets highlight the risks developers face when integrating third-party dependencies. As Socket’s report emphasizes, “Regularly auditing dependencies ensures no unexpected or malicious packages slip into your codebase.”

Related Posts:

• Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users
• Malicious Browser Extension Hijacks Solana Transactions
• Solana Web3.js Library Compromised in Targeted Supply Chain Attack

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.