Cyber Security News

Malicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Malicious packages “solanacore,” “solana login,” and “walletcore-gen” on npmjs target Solana developers with Windows trojans and malware for keylogging and data exfiltration via Slack webhooks and ImgBB APIs.

These recently discovered crypto-stealers exhibit unusual transparency, openly revealing their malicious intent within their code, which stark contrast to the typical obfuscation techniques employed by such malware suggests a unique and potentially less sophisticated threat actor with a distinct approach to developing and deploying these malicious packages.

An npm user published three distinct packages (solanacore, solana-login, and walletcore-gen) this month, each with identical file structures and code, which collectively downloaded over 1,900 times, likely representing an attempt to artificially inflate download counts and potentially manipulate npm’s popularity rankings.

file structure of a version of the "solanacore" packagefile structure of a version of the "solanacore" package
file structure of a version of the “solanacore” package

The installation package includes scripts with malicious intent that trigger the execution of a trojan disguised as a web browser executable upon successful installation and exploiting the postinstall command for immediate execution. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

The lack of obfuscation in these packages could be a deliberate attempt to evade threat detection by avoiding triggers associated with heavy obfuscation.

These packages might serve as a testbed for future attacks, mirroring past trends where attackers initially deploy benign packages to assess the environment before releasing malicious payloads.

The PowerShell script “intel_keyboard_driver.ps1” within these packages is designed to capture and record user keystrokes, as this information is then dynamically stored and appended to a locally created text file named “ok.txt.”

collected keystrokes are saved to an “ok.txt.”

The keylogging script exploits a Slack webhook by sending a base64-encoded URL to the webhook that points to the “ok.txt” file, which contains the logged keystrokes, effectively exfiltrating sensitive data to a remote server via the Slack platform.

The “accessibility” PowerShell script captures screenshots of the target system and then utilizes the ImgBB image upload API to exfiltrate these screenshots to a remote server, compromising system security. 

Java Script

They utilize Discord Webhooks for data exfiltration, conspicuously referencing the “LOCKBITAI” ransomware group within their code, as the use of this identifier alongside unsophisticated techniques suggests a low probability of genuine affiliation with the LockBit group.

According to Sonatype, malicious npm packages, likely targeting Solana users, were observed distributing plaintext passwords and potentially compromising compromised hosts that should be immediately removed and affected systems thoroughly remediated.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

5 hours ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

5 hours ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

5 hours ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

5 hours ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

9 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

9 hours ago