Malware, Threat Intelligence, Data Security

Solana private key exfiltration facilitated by illicit npm packages

A popular npm software package with millions of downloads per week is vulnerable to account takeover. (Image Credit: 	SARINYAPINNGAM via Getty Images)

Malicious npm packages typosquatting widely used libraries have been leveraged to facilitate covert Solana private key exfiltration through Gmail's SMTP servers, Security Affairs reports.

Threat actor solana-web-stable-huks' "solana-transaction-toolkit" and "solana-stable-web-huks" packages — which have amassed more than 130 downloads — not only compromised Solana private keys through Nodemailer but also enabled the automated transfer of 98% of the targeted cryptocurrency wallets' assets to an attacker-controlled Solana address, according to a Socket analysis. Other Solana tool-impersonating packages have been published by the same attacker under the aliases "moonshot-wif-hwan" and "Diveinprogramming." Such findings should prompt more rigorous package verification processes and enhanced private key access controls, said Socket researchers. "Whenever possible, use dedicated or temporary environments for testing third-party scripts, isolating potentially harmful code from your primary systems. Finally, monitor network traffic for unusual outbound connections, particularly those involving SMTP services, since even otherwise benign Gmail traffic can be used to exfiltrate sensitive information," the report said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds