Security researchers have uncovered a sophisticated attack targeting cryptocurrency users through malicious software packages. The attack specifically aims to steal private keys from Solana blockchain wallets by exploiting popular software repositories.
The security firm Socket identified several suspicious packages on the npm software registry that were designed to appear as legitimate cryptocurrency tools. Two packages in particular - "solana-transaction-toolkit" and "solana-stable-web-huks" - contained code that could automatically drain up to 98% of funds from victims' Solana wallets.
What makes this attack notable is the clever use of Gmail's email servers to transmit the stolen wallet credentials. By routing the stolen data through Gmail's SMTP servers, the attackers were able to avoid detection since most security systems trust Gmail as a legitimate service.
The attackers also created fake GitHub repositories that claimed to provide Solana development tools but secretly included the malicious packages. This multi-platform approach aimed to trap developers searching for blockchain-related resources.
Beyond just stealing crypto wallets, some of the malicious packages contained destructive capabilities. Certain variants could completely wipe files from infected systems. One package named "csbchalk-next" would only trigger its file deletion function after receiving a specific command from the attackers' server.
The discovery highlights ongoing risks in the software supply chain, particularly for cryptocurrency users and developers. Socket recommends carefully verifying the authenticity of any blockchain-related development tools before installation.
While the malicious GitHub accounts have been removed, developers should remain cautious when downloading cryptocurrency packages, especially those claiming to provide Solana functionality. Extra verification steps are advised before incorporating any third-party blockchain tools into projects.