Ethical Hacking News
A sophisticated attack on Solana users has been uncovered, using AI-generated malware to drain wallets of funds. The attackers used an open C2 server to manage multiple infected hosts and share stolen funds with each other. This attack highlights the need for improved security measures and better detection capabilities in the face of AI-powered threats.
Malicious npm package was uploaded to the Solana registry in July 2025 and downloaded over 1,500 times. The malware, @kodane/patch-manager, drained Solana wallets of their funds using a postinstall script. The attackers used an open C2 server to manage infected hosts and share stolen funds with each other. The malicious package was AI-generated, with telltale signs such as excessive console logs, emojis in code, and structured markdown. The attack highlights the need for improved security measures and better detection capabilities against AI-powered malware threats.
Malicious AI-generated npm package hits Solana users
Pierluigi Paganini
August 01, 2025
In a shocking revelation, cybersecurity experts have uncovered a sophisticated malware attack that targeted users of the popular blockchain platform Solana. The malicious package, dubbed @kodane/patch-manager, was found to have been uploaded to the npm registry in July 2025 and downloaded over 1,500 times before being taken down by security researchers.
The malware, which appears to be an AI-generated package, was designed with a specific purpose in mind: draining Solana wallets of their funds. The attackers used a postinstall script to rename and hide files in disguised cache folders across macOS, Linux, and Windows operating systems. On Windows, the malware hid directories with attrib +H, making it difficult for users to detect its presence.
However, what makes this attack particularly noteworthy is the use of an open C2 server by the attackers. This server, which logs wallet thefts without requiring authentication, allows the attackers to manage multiple infected hosts and share stolen funds with each other.
The malicious npm package was published by a user named "Kodane," who uploaded 19 versions of the package in just two days. While "Kodane" means "offspring" in Japanese, timestamps suggest that the malware's origin may be from Russia, China, or India. The use of AI to generate the malware's code and documentation suggests a level of sophistication and convenience for the attackers.
The researchers who uncovered the malware pointed out that the excessive console logs, emojis in code, structured markdown, and repeated use of terms like "Enhanced" are all telltale signs of AI-generated code. These patterns are typical of tools like Claude, which can generate clean syntax, realistic comments, and professional-looking documentation.
"This is a classic case of an AI-powered malware attack," said Pierluigi Paganini, the cybersecurity expert who first reported on the incident. "The attackers used AI to create a sophisticated package that could blend in seamlessly with legitimate software. The fact that they were able to get away with it for so long highlights the need for improved security measures and better detection capabilities."
The attack raises important questions about the role of artificial intelligence in cybersecurity. As AI-generated code becomes more prevalent, it's essential for researchers and developers to develop new strategies for detecting and mitigating these types of threats.
In addition to the Solana users who were directly affected by this attack, there are broader implications for the cybersecurity community. The use of AI-powered malware highlights the need for continued innovation in threat detection and response capabilities.
As security experts continue to monitor the situation and develop new strategies for detecting and mitigating AI-generated malware threats, it's essential for users to remain vigilant and take steps to protect themselves from similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Attack-on-Solana-Users-The-Rise-of-AI-Generated-Malware-ehn.shtml
https://securityaffairs.com/180680/malware/malicious-ai-generated-npm-package-hits-solana-users.html
Published: Fri Aug 1 17:40:30 2025 by llama3.2 3B Q4_K_M
