Functionality and Threats
1. Solana Private Key Theft
The first four npm packages (dexscreener, solana-transaction-toolkit, solana-stable-web-huks, and @async-mutex/mutex) are engineered to:
- Steal Solana private keys and exfiltrate them via Gmail SMTP servers, bypassing firewalls.
- Drain Solana wallets, transferring up to 98% of funds to an attacker-controlled address.
2. Destructive “Kill Switch”
Other npm packages (e.g., csbchalk-next) feature:
- Environment variable exfiltration to a remote server.
- A kill switch to delete project-specific directories remotely, triggered by a server response code (
202).
3. Discord Backdoor Installation
The PyPI package pycord-self:
- Captures Discord authentication tokens.
- Installs a backdoor for persistent attacker access on both Windows and Linux.
