Pierluigi Paganini
January 20, 2025
Socket researchers have identified multiple packages in the npm and Python Package Index (PyPI) repository designed to target Solana private keys and drain funds from victims’ wallets.
The malicious npm packages allowed the threat actors to exfiltrate Solana private keys via Gmail. Crooks used names typosquatting popular libraries, such as @async-mutex/mutex, dexscreener, solana-transaction-toolkit and solana-stable-web-huks.
The experts noticed that two two threat actors published the malicious packages, they used similar tactics, techniques, and procedures (TTPs), as well as similar code designed to intercept private keys from various wallet interactions. The attackers exfiltrated the stolen info via Gmail’s SMTP servers to avoid detection.
At the time of the report publication, the packages are still live on npm despite experts requesting their removal. Two GitHub repositories were reported for supporting the malware campaign and legitimizing malicious npm packages.
“The malicious packages solana-transaction-toolkit and solana-stable-web-huks, published by a threat actor using the npm registry alias “solana-web-stable-huks”, do more than steal Solana private keys and exfiltrate them via Gmail. They take the attack further by programmatically draining the victim’s wallet, automatically transferring up to 98% of its contents to an attacker-controlled Solana address 3RbBjhVRi8qYoGB5NLiKEszq2ci559so4nPqv2iNjs8Q.” reads the analysis published by Socket. “The remaining 2% is likely left behind to reduce suspicion or prevent transaction failures due to fees. The ultimate goal is clear: funneling the victim’s funds directly into the attacker’s control.”
The malicious packages discovered by the experts are posing as Solana tools and have 130+ downloads, using Nodemailer to steal keys via Gmail and automate wallet draining.
“Any discovered private keys (represented by p1, p2, p3, p4, p5) are exfiltrated to attacker-controlled Gmail addresses: qadeerkhanr5@gmail.com and czhanood@gmail.com.” continues the report. “The code can handle multiple private keys simultaneously, allowing the attacker to compromise multiple user accounts or environments at once.”
Socket also discovered two GitHub repositories, posing as Solana tools by aliases ‘moonshot-wif-hwan’ and ‘Diveinprogramming,’ secretly import malicious npm packages.
Threat actors are using malicious GitHub repositories to expand attacks beyond npm, targeting developers seeking Solana tools on the platform.
“It is important to verify a package’s authenticity by examining its download counts, publisher history, and any associated GitHub repository links. Regularly auditing dependencies ensures no unexpected or malicious packages slip into your codebase. Equally vital is maintaining strict access controls around private keys, limiting who can view or import them in development environments.” concludes the report that includes Indicators of compromise for this campaign. (IoCs). “Whenever possible, use dedicated or temporary environments for testing third-party scripts, isolating potentially harmful code from your primary systems. Finally, monitor network traffic for unusual outbound connections, particularly those involving SMTP services, since even otherwise benign Gmail traffic can be used to exfiltrate sensitive information.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PyPI packages)
Security / September 03, 2025
