Cyber Security News

Malicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Malicious packages “solanacore,” “solana login,” and “walletcore-gen” on npmjs target Solana developers with Windows trojans and malware for keylogging and data exfiltration via Slack webhooks and ImgBB APIs.

These recently discovered crypto-stealers exhibit unusual transparency, openly revealing their malicious intent within their code, which stark contrast to the typical obfuscation techniques employed by such malware suggests a unique and potentially less sophisticated threat actor with a distinct approach to developing and deploying these malicious packages.

An npm user published three distinct packages (solanacore, solana-login, and walletcore-gen) this month, each with identical file structures and code, which collectively downloaded over 1,900 times, likely representing an attempt to artificially inflate download counts and potentially manipulate npm’s popularity rankings.

file structure of a version of the "solanacore" packagefile structure of a version of the "solanacore" package
file structure of a version of the “solanacore” package

The installation package includes scripts with malicious intent that trigger the execution of a trojan disguised as a web browser executable upon successful installation and exploiting the postinstall command for immediate execution. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

The lack of obfuscation in these packages could be a deliberate attempt to evade threat detection by avoiding triggers associated with heavy obfuscation.

These packages might serve as a testbed for future attacks, mirroring past trends where attackers initially deploy benign packages to assess the environment before releasing malicious payloads.

The PowerShell script “intel_keyboard_driver.ps1” within these packages is designed to capture and record user keystrokes, as this information is then dynamically stored and appended to a locally created text file named “ok.txt.”

collected keystrokes are saved to an “ok.txt.”

The keylogging script exploits a Slack webhook by sending a base64-encoded URL to the webhook that points to the “ok.txt” file, which contains the logged keystrokes, effectively exfiltrating sensitive data to a remote server via the Slack platform.

The “accessibility” PowerShell script captures screenshots of the target system and then utilizes the ImgBB image upload API to exfiltrate these screenshots to a remote server, compromising system security. 

Java Script

They utilize Discord Webhooks for data exfiltration, conspicuously referencing the “LOCKBITAI” ransomware group within their code, as the use of this identifier alongside unsophisticated techniques suggests a low probability of genuine affiliation with the LockBit group.

According to Sonatype, malicious npm packages, likely targeting Solana users, were observed distributing plaintext passwords and potentially compromising compromised hosts that should be immediately removed and affected systems thoroughly remediated.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

9 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

9 hours ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

9 hours ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

10 hours ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

10 hours ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

10 hours ago