
Attackers distributed malicious npm packages such as @async-mutex/mutex, dexscreener, solana-transaction-toolkit, and solana-stable-web-huks.
These packages used typosquatting techniques, masquerading as legitimate tools. Malicious scripts intercepted private keys during interactions with Solana cryptowallets and transmitted them through Gmail’s SMTP servers, making them difficult to detect. Some packages also programmatically drained wallets, transferring up to 98% of funds to addresses controlled by hackers. In total, these packages were downloaded more than 130 times, creating risks for developers and their work environments.
Cybercriminals are increasingly using trusted platforms such as npm and GitHub to distribute malicious code. In 2024, the number of such packages on open dependency managers increased by 1300% compared to 2020. Analysts warn that using artificial intelligence to generate descriptions of malicious packages can make them even more convincing to users.
This situation highlights the need for increased security measures when installing dependencies, especially with low downloads. Developers are encouraged to perform regular package checks, use tools like Socket, and ensure strict access control to sensitive information, including cryptowallets.