The malware hidden within the package functioned as a comprehensive information stealer, targeting a wide range of data. This included web browser passwords, cookies, credit card details, cryptocurrency wallets, and information from messaging apps like Telegram, Signal, and Session.
Additionally, it had features to capture screenshots and search for files containing GitHub recovery codes and BitLocker keys. The collected information was then compressed and sent to two Telegram bots controlled by the attacker.
The malware also included a backdoor component, giving the attacker persistent remote access to the victims’ machines, enabling further exploits and long-term control.
The attack chain involved multiple stages, with the “raydium” package listing “spl-types” as a dependency to disguise its malicious behavior and appear legitimate to users.
A notable aspect of this campaign was the use of Stack Exchange as a vector for distribution. The attacker posted seemingly helpful answers to developer questions about performing swap transactions in Raydium using Python, referencing the malicious package. By choosing high-visibility threads with thousands of views, the attacker maximized the package’s reach and credibility.
Although the original Stack Exchange post has
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: