Malicious Solana Packages Attacking Devs Abusing Slack And ImgBB For Data Theft

Malicious packages “solanacore,” “solana login,” and “walletcore-gen” on npmjs target Solana developers with Windows trojans and malware for keylogging and data exfiltration via Slack webhooks and ImgBB APIs.

These recently discovered crypto-stealers exhibit unusual transparency, openly revealing their malicious intent within their code, which stark contrast to the typical obfuscation techniques employed by such malware suggests a unique and potentially less sophisticated threat actor with a distinct approach to developing and deploying these malicious packages.

An npm user published three distinct packages (solanacore, solana-login, and walletcore-gen) this month, each with identical file structures and code, which collectively downloaded over 1,900 times, likely representing an attempt to artificially inflate download counts and potentially manipulate npm’s popularity rankings.

The installation package includes scripts with malicious intent that trigger the execution of a trojan disguised as a web browser executable upon successful installation and exploiting the postinstall command for immediate execution. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

The lack of obfuscation in these packages could be a deliberate attempt to evade threat detection by avoiding triggers associated with heavy obfuscation.

These packages might serve as a testbed for future attacks, mirroring past trends where attackers initially deploy benign packages to assess the environment before releasing malicious payloads.

The PowerShell script “intel_keyboard_driver.ps1” within these packages is designed to capture and record user keystrokes, as this information is then dynamically stored and appended to a locally created text file named “ok.txt.”

The keylogging script exploits a Slack webhook by sending a base64-encoded URL to the webhook that points to the “ok.txt” file, which contains the logged keystrokes, effectively exfiltrating sensitive data to a remote server via the Slack platform.

The “accessibility” PowerShell script captures screenshots of the target system and then utilizes the ImgBB image upload API to exfiltrate these screenshots to a remote server, compromising system security. 

They utilize Discord Webhooks for data exfiltration, conspicuously referencing the “LOCKBITAI” ransomware group within their code, as the use of this identifier alongside unsophisticated techniques suggests a low probability of genuine affiliation with the LockBit group.

According to Sonatype, malicious npm packages, likely targeting Solana users, were observed distributing plaintext passwords and potentially compromising compromised hosts that should be immediately removed and affected systems thoroughly remediated.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!