New Malware Threat Targeting Cryptocurrency Wallets
A recent alarming report from the cybersecurity firm Safety has unveiled a new type of malware that preys on cryptocurrency wallets, disguising itself as a harmless software package. On July 31, the company alerted the crypto community about this sophisticated malware, which was able to exploit open-source resources effectively, raising red flags among developers and crypto investors alike.
How the Malware Operates
The malicious code was cleverly concealed within a JavaScript package available on the popular Node Package Manager (NPM), using AI technology to enhance its effectiveness. Safety’s head of research, Paul McCarty, noted that this particular NPM package functioned as a highly skilled cryptocurrency wallet drainer, illustrating how cybercriminals are increasingly using AI to design more compelling and harmful software.
After being installed, the malware would execute various scripts—including monitor.js, sweeper.js, and utils.js—into hidden folders across different operating systems like Linux, Windows, and macOS. A background script named connection-pool.js kept a constant link to a command-and-control server, probing the infected machines for wallet files. When it identifies a crypto wallet file, the transaction-cache.js script would engage in the actual theft by determining the wallet’s contents and rapidly draining the funds.
Impact and Response
According to the report, the stolen cryptocurrency was funneled through a hardcoded Remote Procedure Call (RPC) endpoint leading to a specific address on the Solana blockchain. McCarty emphasized that the malware primarily targets unsuspecting developers and users associated with their applications, making it particularly dangerous.
The malware was initially published on July 28 and was downloaded more than 1,500 times before it was flagged as malicious and removed by NPM on July 30. Safety, based in Vancouver, prides itself on a proactive software supply chain security strategy, utilizing AI technology to analyze millions of open-source package updates. Their database reportedly identifies four times more vulnerabilities than those available in public repositories, making it a vital resource for individual developers, major corporations, and government entities alike.
