Exploring the Risks: A Suspicious Solana-themed GitHub Repository

You might be aware of the recent ByBit security breach, where an employee from Safe inadvertently downloaded a GitHub repository, a piece of code, or a tool that led to the infection of their machine.

You might also recall the notorious Trump Coin, which drew significant attention to Solana. As a memecoin, Trump Coin was traded at remarkably high prices.

Today, we examined a GitHub repository that remains active. This repository poses as a Solana trading bot, as detailed below:

Malicious code was detected within the NodeJS dependencies, as indicated in the package.json file:

{
  "name": "warp-solana-bot-rc",
  "author": "Zona Catharine",
  "homepage": "https://warp.id",
  "version": "3.0.0",
  "scripts": {
    "start": "ts-node index.ts",
    "tsc": "tsc --noEmit"
  },
  "dependencies": {
    "@metaplex-foundation/mpl-token-metadata": "^3.2.1",
    "@raydium-io/raydium-sdk": "^1.3.1-beta.47",
    "@solana/spl-token": "^0.4.0",
    "@solana/web3.js": "^1.89.1",
    "async-mutex": "^0.5.0",
    "axios": "^1.6.8",
    "bigint-buffer": "^1.1.5",
    "bip39": "^3.1.0",
    "bn.js": "^5.2.1",
    "bs58": "^5.0.0",
    "dotenv": "^16.4.1",
    "ed25519-hd-key": "^1.3.0",
    "i": "^0.3.7",
    "keypair-encryption": "^1.9.3",
    "npm": "^10.5.2",
    "pino": "^8.18.0",
    "pino-pretty": "^10.3.1",
    "pino-std-serializers": "^6.2.2"
  },
  "devDependencies": {
    "@types/bn.js": "^5.1.5",
    "prettier": "^3.2.4",
    "ts-node": "^10.9.2",
    "typescript": "^5.3.3"
  }
}

The deceptive keypair-encryption package version 1.9.3, and possibly version 1.9.2, contained malicious code. Details are provided below:

The repository was released by a temporary alias, "blockchainshin", approximately three months before the date of this post, indicating a deployment around December 2024. At the time of this post, it recorded approximately 32 weekly downloads.

The primary file, index.js, was obfuscated utilizing the JS Jiami V7 tool:

After sandboxing the package by intentionally triggering it, it was possible to see that traffic was being sent to githubshadow[.]xyz on TCP port 8443.

Whois:

Ipinfo:

IP address resolved to 196.251.89[.]109.

Nmap:

Domain History:

Based on similar IOCs, we can see that the TCP port 8443 was also used on the other IP addresses for the same private key collection.

The further we dig back, the more we can see. The campaign or threat actor has been around since at least October 2024.

We sent a wallet address containing around 1 SOL to the server and it got drained.

Conclusion

Attackers are finding sophisticated ways to implant malicious actions into code. We can see that the repository had over 300 stars, over 300 contributors, and fake websites to support the project.

Source code and code-based social engineering tactics are extremely common in the crypto sector.

Potential Risks

• Financial Loss: Users may lose funds through unauthorized transactions.

• Data Theft: Personal information and credentials may be at risk.

• Reputation Damage: Users' accounts may be used for further malicious activities, impacting their credibility.

Recommendations

• Spread awareness across your teams - especially if you are in the crypto sector and have developers and traders who are constantly using code from GitHub.

• Block suspicious domains. Why would you ever need to connect to a .xyz domain?

• Verify Sources: Always check the credibility of GitHub projects before downloading or participating.

• Read Reviews: Look for feedback from other users to gauge the legitimacy of the project.

• Use Security Tools: Employ antivirus and anti-malware tools to scan for potential threats.

Stay vigilant and protect yourself from falling victim to such malicious schemes.

IOCs

https[://]github[.]com/warp-andy/solana-trading-bot/
196.251.89[.]109
githubshadow[.]xyz