As the world’s biggest free email platform, Gmail often finds itself in the crosshairs as far as hack attacks are concerned. A new report has revealed how that’s the case as a new threat campaign stealing private keys to drain Solana crypto wallets is using and abusing trust in Gmail at the heart of its attack strategy. Here’s what you need to know.
Hackers Abuse Trust In Gmail To Target Crypto Keys
Not one, but two threat actors are targeting holders of Solana crypto wallets using overlapping tactics and techniques to steal private keys. The common denominator, however, is that Gmail is being used as the relay to exfiltrate the key data used to drain the wallets. The Socket Threat Research Team published their findings in a Jan. 8 report titled “Gmail For Exfiltration: Malicious npm Packages Target Solana Private Keys and Drain Victims’ Wallets.”
Threat intelligence analyst Kirill Boychenko said that Socket had found malicious node package manager packages “designed to designed to exfiltrate Solana private keys via Gmail,” using code to intercept private keys from wallet interactions and “funnel them through Gmail’s SMTP servers.” The use, or more accurately abuse, of Gmail here is important according to Boychenko. Gmail is such a well-known and trusted email service that “these exfiltration attempts are less likely to be flagged by firewalls or endpoint detection systems,” the report said, because they treat smtp.gmail.com as being legitimate traffic.
I have reached out to Google and Solana for a statement.
Hackers Leveraged Google AI-Powered Summary And Gmail Key Exfiltration
The malicious npm packages were disguised as legitimate tools, using typo-squatting to appear like one hugely popular package with 93 million downloads and, according to Socket, around a million downloads every week. “@async-mutex/mutex is a typosquat of the popular npm package async-mutex, which provides a mutual exclusion mechanism (mutex) for asynchronous JavaScript operations,” the report said. A warning was also issued by the researchers regarding the Google AI-powered summary for the malicious package, which produced a “friendly-sounding preview” that obscured the hidden malware and left developers exposed to serious risk. “When AI-driven summaries overlook embedded threats,” Boychenko said, “they may guide even cautious users toward installing harmful dependencies, endangering individual projects and the broader software supply chain.”
The researchers said that, at the time of the report publication, the malicious packages remained live and available for download but they had petitioned for their removal. “We also reported two GitHub repositories,” Boychenko said, “used by the threat actor…to amplify the malware campaign and lend legitimacy to these malicious packages.” I have reached out to GitHub for a statement. The attack code can handle multiple private keys simultaneously, the report said, allowing an attacker to compromise multiple user accounts or environments at once, with the discovered keys being exfiltrated to hacker-controlled Gmail addresses, which I won’t publish here but are accessible in the report itself.
