Cyber Security News

Malicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Malicious packages “solanacore,” “solana login,” and “walletcore-gen” on npmjs target Solana developers with Windows trojans and malware for keylogging and data exfiltration via Slack webhooks and ImgBB APIs.

These recently discovered crypto-stealers exhibit unusual transparency, openly revealing their malicious intent within their code, which stark contrast to the typical obfuscation techniques employed by such malware suggests a unique and potentially less sophisticated threat actor with a distinct approach to developing and deploying these malicious packages.

An npm user published three distinct packages (solanacore, solana-login, and walletcore-gen) this month, each with identical file structures and code, which collectively downloaded over 1,900 times, likely representing an attempt to artificially inflate download counts and potentially manipulate npm’s popularity rankings.

file structure of a version of the “solanacore” package

The installation package includes scripts with malicious intent that trigger the execution of a trojan disguised as a web browser executable upon successful installation and exploiting the postinstall command for immediate execution. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

The lack of obfuscation in these packages could be a deliberate attempt to evade threat detection by avoiding triggers associated with heavy obfuscation.

These packages might serve as a testbed for future attacks, mirroring past trends where attackers initially deploy benign packages to assess the environment before releasing malicious payloads.

The PowerShell script “intel_keyboard_driver.ps1” within these packages is designed to capture and record user keystrokes, as this information is then dynamically stored and appended to a locally created text file named “ok.txt.”

collected keystrokes are saved to an “ok.txt.”

The keylogging script exploits a Slack webhook by sending a base64-encoded URL to the webhook that points to the “ok.txt” file, which contains the logged keystrokes, effectively exfiltrating sensitive data to a remote server via the Slack platform.

The “accessibility” PowerShell script captures screenshots of the target system and then utilizes the ImgBB image upload API to exfiltrate these screenshots to a remote server, compromising system security. 

Java Script

They utilize Discord Webhooks for data exfiltration, conspicuously referencing the “LOCKBITAI” ransomware group within their code, as the use of this identifier alongside unsophisticated techniques suggests a low probability of genuine affiliation with the LockBit group.

According to Sonatype, malicious npm packages, likely targeting Solana users, were observed distributing plaintext passwords and potentially compromising compromised hosts that should be immediately removed and affected systems thoroughly remediated.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

9 hours ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

12 hours ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

12 hours ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

12 hours ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

12 hours ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

13 hours ago