Researchers uncovered three malicious npm packages: solanacore, solana-login, and walletcore-gen, with a combined download count exceeding 1,900, were published this month by a single user.
They have structures, files, and code that are identical to one another and contain Windows PowerShell scripts as well as a trojan.exe file that is disguised as “WebBrowser for Windows.”
When a package is installed, the “postinstall” command causes the execution of these malicious components, which poses a significant security risk to the systems that are affected.
The “Intel Keyboard Driver” is a rudimentary PowerShell script masquerading as a legitimate driver that blatantly logs keystrokes, saving them to a local “ok.txt” file and likely aims to evade detection by bypassing security measures that flag heavily obfuscated or evasive malware.
Alternatively, it could be a preliminary test before deploying more sophisticated and harmful payloads that align with observed trends where attackers initially employ simple tools to assess the environment before escalating their attacks.
The observed malicious activity leverages two distinct methods for data exfiltration. Firstly, a keylogging script abuses a Slack webhook to transmit stolen keystrokes in a file named “ok.txt” to a remote server, which marks a departure from previous campaigns primarily relying on Discord webhooks and common services for data upload.
Secondly, the “accessibility” PowerShell script captures screenshots of the infected system and uploads them to ImgBB’s image hosting service using its API, which demonstrates the attackers’ adaptability in employing diverse exfiltration channels to evade detection and maintain persistent access to compromised systems.
Several malicious JavaScript packages were discovered utilizing Discord Webhooks for data exfiltration, notably referencing the LockBit ransomware group within their code that also contained harvested passwords from password managers and screenshots of development environments, suggesting potential espionage or data theft activities.
According to Sonatype, even though there are references to LockBit, the sophisticated nature of the techniques that were used raises questions about whether or not there is a direct connection to the actual LockBit group.
Regardless of the author’s motives, these packages pose a significant security risk and should be immediately removed from any affected systems, while thorough system remediation is crucial to mitigate potential damage.