Socket’s threat research team has identified malicious npm packages that exfiltrate Solana private keys via Gmail. These packages, which typosquat popular libraries, serve as malware that drains victims’ wallets. The threat actors utilize overlapping tactics and Gmail’s SMTP servers for data exfiltration, making detection difficult. The malicious packages remain live on npm, prompting efforts for their removal. Affected: npm, Gmail
Keypoints :
- Malicious npm packages identified: @async-mutex/mutex, dexscreener, solana-transaction-toolkit, and solana-stable-web-huks.
- Packages typosquat popular libraries and appear legitimate but function as malware.
- Threat actors use Gmail’s SMTP servers for exfiltration, making detection more challenging.
- Malicious packages drain victims’ Solana wallets by transferring funds to attacker-controlled addresses.
- AI-generated summaries may inadvertently legitimize these malicious packages, increasing risk for developers.
- Two GitHub repositories were identified that amplify the malware campaign.
- Recommendations include verifying package authenticity and monitoring network traffic for unusual connections.
MITRE Techniques :
- T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
- T1059.007 — Command and Scripting Interpreter: JavaScript
- T1036.005 — Masquerading: Match Legitimate Name or Location
- T1027.013 — Obfuscated Files or Information: Encrypted/Encoded File
- T1546.016 — Event Triggered Execution: Installer Packages
- T1048 — Exfiltration Over Alternative Protocol
- T1583.006 — Acquire Infrastructure: Web Services
- T1005 — Data from Local System
Indicator of Compromise :
- [file name] @async-mutex/mutex
- [file name] dexscreener
- [file name] solana-transaction-toolkit
- [file name] solana-stable-web-huks
- [email] vision.high.ever@gmail.com
- Check the article for all found IoCs.
Full Research: https://socket.dev/blog/gmail-for-exfiltration-malicious-npm-packages-target-solana-private-keys-and-drain-victim-s