Alert: Hackers Target Solana Wallets Through Infected npm Packages Using Gmail Backdoor

Alert: Hackers Target Solana Wallets Through Infected npm Packages Using Gmail Backdoor

Malicious Packages Discovered in npm and PyPI Repositories Pose Severe Security Threats

Security researchers have uncovered three distinct sets of malicious packages in npm and PyPI repositories that pose significant risks to developers and users. These packages are capable of data theft and system manipulation.

The first group, including @async-mutex/mutex and several Solana-related packages, specifically targets cryptocurrency wallets. These packages intercept Solana private keys and transmit them through Gmail’s SMTP servers, potentially draining up to 98% of victims’ wallet contents to attacker-controlled addresses.

The second set comprises multiple typosquatted packages mimicking popular libraries like chokidar and chalk. These packages contain a dangerous “kill switch” function that can delete files in project directories while also stealing environment variables.

The third threat, pycord-self, targets Python developers working with Discord APIs. This package captures authentication tokens and establishes backdoor access on both Windows and Linux systems.

Key Malicious Packages Identified:
– Solana-focused: solana-transaction-toolkit, solana-stable-web-huks
– Typosquatted npm packages: cschokidar-next, achokidar-next, achalk-next
– Python package: pycord-self (Discord API exploit)

The attackers also deployed GitHub repositories containing seemingly legitimate Solana development tools that secretly imported these malicious packages. The associated GitHub accounts “moonshot-wif-hwan” and “Diveinprogramming” have since been removed.

This campaign demonstrates an evolving threat in the software supply chain, particularly targeting cryptocurrency users and developers working with popular platforms like Discord and Solana.

Share This Article