Breach cyber

Solana

Jan 24, 2025 1 min read
Solana

Malicious npm and PyPI packages were crafted to target Solana's ecosystem, with the intent to steal private keys and drain funds from victims' wallets. The operation involved typosquatting and names mimicking popular libraries, with the theft executed via Gmail SMTP servers to evade detection. Despite discovery and reporting, the malicious packages remained live at that time. Attackers rigged the packages to programmatically transfer the majority of wallet contents to their address, carefully leaving a small fraction to avoid raising immediate suspicion. Over 130 downloads were recorded for these packages, showcasing a targeted approach to siphon off Solana's assets via automated exfiltration.

Source: https://securityaffairs.com/173249/cyber-crime/malicious-npm-and-pypi-target-solana-private-keys.html

TPRM report: https://scoringcyber.rankiteo.com/company/solanalabs

"id": "sol000012425",
"linkid": "solanalabs",
"type": "Breach",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Cryptocurrency',
                        'name': 'Solana',
                        'type': 'Blockchain Ecosystem'}],
 'attack_vector': 'Malicious Software Packages',
 'data_breach': {'data_exfiltration': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Private Keys', 'Wallet Funds']},
 'description': 'Malicious npm and PyPI packages were crafted to target '
                "Solana's ecosystem, with the intent to steal private keys and "
                "drain funds from victims' wallets. The operation involved "
                'typosquatting and names mimicking popular libraries, with the '
                'theft executed via Gmail SMTP servers to evade detection. '
                'Despite discovery and reporting, the malicious packages '
                'remained live at that time. Attackers rigged the packages to '
                'programmatically transfer the majority of wallet contents to '
                'their address, carefully leaving a small fraction to avoid '
                'raising immediate suspicion. Over 130 downloads were recorded '
                'for these packages, showcasing a targeted approach to siphon '
                "off Solana's assets via automated exfiltration.",
 'impact': {'data_compromised': ['Private Keys', 'Wallet Funds']},
 'initial_access_broker': {'entry_point': 'Malicious Software Packages',
                           'high_value_targets': 'Private Keys'},
 'motivation': 'Financial Gain',
 'post_incident_analysis': {'root_causes': ['Typosquatting',
                                            'Malicious Software Packages']},
 'title': "Malicious npm and PyPI Packages Targeting Solana's Ecosystem",
 'type': 'Cyber Theft',
 'vulnerability_exploited': 'Typosquatting'}
Published by
Jeremy C
Jeremy C
You might also like
Breach cyber

Helsinki

public 1 min read
A data breach affecting Helsinki, Finland’s capital and largest employer, exposed sensitive personal data of over 300,000 people.…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.