A sophisticated new threat campaign has emerged targeting cryptocurrency developers through malicious npm packages designed to steal sensitive credentials and wallet information.
The attack, dubbed “Solana-Scan” by researchers, specifically targets the Solana cryptocurrency ecosystem by masquerading as legitimate software development kits and scanning tools.
The campaign centers around multiple malicious npm packages, including “solana-pump-test” and “solana-spl-sdk,” published by a threat actor using the handle “cryptohan” with the email address crypto2001813@gmail[.]com.
These packages present themselves as advanced Solana file scanning and upload SDKs with multi-threading capabilities, deliberately mimicking legitimate development tools to deceive unsuspecting developers.
.webp "Crypto Developers Attacked With Malicious npm Packages to Steal Login Details 3")
Safety researchers identified this threat campaign through their malicious package detection technology, discovering that the packages contain heavily obfuscated JavaScript payloads designed to harvest cryptocurrency-related credentials and sensitive files.
The malware specifically targets files with extensions including .env, .json, .one, .one1, .one2, and .txt, using regular expressions to identify potential cryptocurrency tokens and wallet credentials stored on compromised systems.
The campaign demonstrates a concerning trend of threat actors leveraging the npm ecosystem to distribute sophisticated infostealers.
With over 17,000 files already collected according to the exposed command and control infrastructure, the attack appears to have achieved significant reach within the targeted developer community.
Particularly troubling is the apparent focus on Russian cryptocurrency developers, with victim IP addresses traced to Moscow, while the command and control server operates from a US-based infrastructure at IP address 209.159.159.198.
Multi-Stage Infection and Persistence Mechanism
The malware employs a sophisticated multi-stage deployment strategy that begins with the universal-launcher.cjs file, which serves as the initial entry point.
This launcher script performs extensive environmental reconnaissance, collecting system information including the username, working directory, and npm installation mode.
.webp "Crypto Developers Attacked With Malicious npm Packages to Steal Login Details 4")
The code contains telltale signs of AI-assisted generation, including console.log messages with emojis and specific coding patterns consistent with tools like Anthropic’s Claude.
const _0x35a3f5 = process.env.DETECTED_USERNAME;
const _0x459771 = process.env.WORKING_DIR;
const _0x45a3ca = process.env.NPM_INSTALL_MODE === "true";
console.log("🚀 Universal Launcher NPM Install Mode: " + _0x45a3ca);Once executed, the launcher searches for secondary payloads (index.js or index.cjs files) and launches them as background processes to maintain persistence.
The main payload then conducts a comprehensive file system scanning, targeting user directories including Documents, Downloads, and Desktop folders while intelligently excluding development-related directories such as node_modules and .git to avoid detection.
The collected data is packaged into JSON format and exfiltrated to the command and control server, where an exposed web interface reveals the disturbing scope of the operation, displaying stolen files including password databases, cryptocurrency exchange credentials, and wallet files from compromised victims.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
