Malicious npm packages typosquatting widely used libraries have been leveraged to facilitate covert Solana private key exfiltration through Gmail's SMTP servers, Security Affairs reports.
Threat actor solana-web-stable-huks' "solana-transaction-toolkit" and "solana-stable-web-huks" packages — which have amassed more than 130 downloads — not only compromised Solana private keys through Nodemailer but also enabled the automated transfer of 98% of the targeted cryptocurrency wallets' assets to an attacker-controlled Solana address, according to a Socket analysis. Other Solana tool-impersonating packages have been published by the same attacker under the aliases "moonshot-wif-hwan" and "Diveinprogramming." Such findings should prompt more rigorous package verification processes and enhanced private key access controls, said Socket researchers. "Whenever possible, use dedicated or temporary environments for testing third-party scripts, isolating potentially harmful code from your primary systems. Finally, monitor network traffic for unusual outbound connections, particularly those involving SMTP services, since even otherwise benign Gmail traffic can be used to exfiltrate sensitive information," the report said.