Solana Tool Steals Crypto From Its Users
The malicious GitHub repository in question featured “a relatively high number of stars and forks,” SlowMist said. All code commits across all its directories were made about three weeks ago, with apparent irregularities and a lack of consistent pattern that, according to SlowMist, would indicate a legitimate project.
The project is Node.js-based and leverages the third-party package crypto-layout-utils as a dependency. “Upon further inspection, we found that this package had already been removed from the official NPM registry,” SlowMist said.
The package could no longer be downloaded from the official node package manager (NPM) registry, prompting investigators to question how the victim had downloaded the package. Investigating further, SlowMist discovered that the attacker was downloading the library from a separate GitHub repository.
After analyzing the package, SlowMist researchers found it to be heavily obfuscated using jsjiami.com.v7, making analysis harder. After de-obfuscation, investigators confirmed that it was a malicious package that scans local files, and if it detects wallet-related content or private keys, it would upload them to a remote server.
Further investigation by SlowMist revealed that the attacker likely controlled a batch of GitHub accounts. These accounts were used to fork projects into malicious variations, distributing malware while artificially inflating fork and star counts.
Multiple forked repositories exhibited similar features, with some versions incorporating another malicious package, bs58-encrypt-utils-1.0.3. This package was created on June 12, which is when SlowMist researchers said they believed the attacker began distributing malicious NPM modules and Node.js projects.
The incident is the latest in a string of software supply chain attacks targeting crypto users. In recent weeks, similar schemes have targeted Firefox users with fake wallet extensions and used GitHub repositories to host credential-stealing code.
