Analysis and Prevention of New NPM Package Attacks Targeting Solana Users and the Theft of Private Keys

robot
Abstract generation in progress

Analysis of Malicious NPM Package Theft of Solana Users' Private Keys

In early July 2025, a malicious attack targeting Solana users was exposed. The attackers disguised themselves as a legitimate open-source project, luring users to download and run a Node.js project containing malicious code, thereby stealing users' wallet Private Keys and crypto assets.

Malicious NPM package steals Private Key, Solana users' assets are stolen

Event Process

On July 2nd, a victim contacted the security team, stating that their cryptocurrency assets were stolen after using the open-source project "solana-pumpfun-bot" on GitHub. The security team immediately launched an investigation.

The investigation found that there is an anomaly in the GitHub project:

  1. The code submission time was concentrated three weeks ago, lacking continuous updates.
  2. The project relies on a suspicious third-party package "crypto-layout-utils"
  3. This dependency package has been removed by the official NPM, and the specified version does not exist in the NPM historical records.

Malicious NPM package steals Private Key, Solana users' assets are stolen

Further analysis revealed that the attacker replaced the download link for "crypto-layout-utils" in package-lock.json with a GitHub repository address they control.

Malicious NPM package steals Private Key, Solana users' assets are stolen

Malicious Code Analysis

The security team downloaded and analyzed the suspicious dependency package, discovering that it contained highly obfuscated malicious code. This code implemented the following functions:

  1. Scan the user's computer files for wallet or Private Key related content.
  2. Upload the discovered sensitive information to the server controlled by the attacker.

Malicious NPM package steals Private Key, Solana users' assets are stolen

Malicious NPM package steals Private Key, Solana users' assets are stolen

Attack Methods

  1. Control multiple GitHub accounts, fork and distribute malicious projects
  2. Increase the number of Forks and Stars for high-profile projects to enhance credibility.
  3. Replace the NPM package download link to bypass official review
  4. Use obfuscation to increase analysis difficulty

Malicious NPM Package Stealing Private Keys, Solana Users' Assets Stolen

Malicious NPM package steals Private Key, Solana users' assets are stolen

Malicious NPM package steals Private Key, Solana users' assets are stolen

Capital Flow

Using on-chain analysis tools, it was found that some of the stolen funds were transferred to a certain cryptocurrency exchange.

Malicious NPM package steals Private Key, Solana users' assets are stolen

Malicious NPM package steals Private Key, Solana users' assets are stolen

Security Recommendations

  1. Exercise caution with GitHub projects of unknown origin, especially those involving wallet operations.
  2. Run and debug third-party code in an independent environment without sensitive data.
  3. Regularly check system security and timely update software and protective measures.

This incident once again emphasizes the importance of staying vigilant when handling crypto assets. Attackers are constantly innovating their methods, and both users and developers need to enhance their security awareness and take necessary protective measures.

Malicious NPM package steals Private Key, Solana users' assets are stolen

SOL5.1%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 6
  • Share
Comment
0/400
MEV_Whisperervip
· 13h ago
Another sucker play machine on GitHub
View OriginalReply0
OldLeekConfessionvip
· 14h ago
sol has been sucked again and again.
View OriginalReply0
HodlKumamonvip
· 08-06 08:04
Oh dear, a node project that doesn't do code auditing feels as risky as swimming naked.
View OriginalReply0
SerumSurfervip
· 08-06 08:03
Huh? You can't easily trust npm packages either.
View OriginalReply0
MiningDisasterSurvivorvip
· 08-06 08:02
This trap is not as clever as the EOS funding scheme from 2018. Suckers truly come one after another.
View OriginalReply0
RugPullAlertBotvip
· 08-06 07:57
Another batch of newbies has been taken away.
View OriginalReply0
Trade Crypto Anywhere Anytime
qrCode
Scan to download Gate app
Community
English
  • 简体中文
  • English
  • Tiếng Việt
  • 繁體中文
  • Español
  • Русский
  • Français (Afrique)
  • Português (Portugal)
  • Bahasa Indonesia
  • 日本語
  • بالعربية
  • Українська
  • Português (Brasil)