Malicious npm and PyPI Packages Steal Solana Private Keys and Delete Sensitive Data

by | Jan 20, 2025 | News

Malicious npm and PyPI Packages Steal Solana Private Keys and Delete Sensitive Data

Post Views: 20




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

Cybersecurity researchers have identified three sets of malicious packages in the npm and Python Package Index (PyPI) repositories, which target developers by stealing Solana private keys, exfiltrating environment variables, and even deleting sensitive files on infected systems.

Malicious Packages Overview

The identified packages, which include typosquatted versions of legitimate libraries, aim to exploit unsuspecting developers. Below is the list:

npm Packages:

  • @async-mutex/mutex (typosquat of async-mute)
  • dexscreener (claims to interact with DEX Screener and liquidity pools)
  • solana-transaction-toolkit
  • solana-stable-web-huks
  • cschokidar-next (typosquat of chokidar)
  • achokidar-next (typosquat of chokidar)
  • achalk-next (typosquat of chalk)
  • csbchalk-next (typosquat of chalk)
  • cschalk (typosquat of chalk)

PyPI Packages:

  • pycord-self (typosquat of discord.py-self)

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Functionality and Threats

1. Solana Private Key Theft

The first four npm packages (dexscreener, solana-transaction-toolkit, solana-stable-web-huks, and @async-mutex/mutex) are engineered to:

  • Steal Solana private keys and exfiltrate them via Gmail SMTP servers, bypassing firewalls.
  • Drain Solana wallets, transferring up to 98% of funds to an attacker-controlled address.

2. Destructive “Kill Switch”

Other npm packages (e.g., csbchalk-next) feature:

  • Environment variable exfiltration to a remote server.
  • A kill switch to delete project-specific directories remotely, triggered by a server response code (202).

3. Discord Backdoor Installation

The PyPI package pycord-self:

  • Captures Discord authentication tokens.
  • Installs a backdoor for persistent attacker access on both Windows and Linux.

Malicious npm Packages

Trending: Essential Skills Every Hacker Should Master




Trending: Offensive Security Tool: ACEshark

Wider Campaign Tactics

  • Malicious GitHub Repositories:
    Threat actors hosted fake repositories advertising Solana development tools. These repositories distributed malware-laden npm packages and have since been taken down.

  • Targeting Roblox Users:
    Similar campaigns targeted Roblox developers with fake PyPI packages containing Skuld and Blank-Grabber malware.

Recommendations for Developers

  1. Avoid Typosquatting Traps: Verify package names and download from trusted sources.
  2. Audit Dependencies: Use tools like Socket, Snyk, or npm audit to detect vulnerabilities.
  3. Protect Authentication Keys: Secure Solana private keys, API tokens, and environment variables in protected files.
  4. Monitor for Suspicious Activity: Check for unexpected network traffic, file deletions, or leaked environment variables.
  5. Update Security Practices: Follow trusted cybersecurity sources to stay informed on supply chain threats.

Trending: FortiGate Leak: Over 15,000 Devices’ Configs and VPN Credentials Exposed by New Hacking Group

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This