A sophisticated threat campaign dubbed “Solana-Scan” has emerged, deploying malicious npm packages aimed at infiltrating the Solana cryptocurrency ecosystem.
Identified by the Safety research team through advanced malicious package detection technology, this operation involves a threat actor operating under the handle “cryptohan” and associated with the email [email protected].
The actor has published packages masquerading as tools for scanning Solana SDK components, a tactic designed to lure developers in the crypto space.
Discovery of the Solana-Scan Campaign
Currently, two packages remain active on the npm registry: solana-pump-test and solana-spl-sdk, while a third, solana-pump-sdk, was recently removed by the actor.
The campaign’s nomenclature stems from references in the packages’ manifests to a non-existent “solana-scan” tool, which falsely implies legitimacy for scanning Solana-related dependencies.
This deceptive naming convention underscores the actor’s intent to exploit trust within the developer community, particularly those working on cryptocurrency projects.
The timeline of the attack reveals a rapid deployment strategy, with the initial package, solana-pump-test, published at 07:37 UTC on August 15, 2025, followed by 14 versions released over a 10-hour period.
The subsequent solana-spl-sdk appeared at 19:34 UTC the same day. Analysis of the package contents shows high similarity across these artifacts, including identical files in their dist directories.
The threat actor’s choice of the “cryptohan” moniker appears to be a deliberate ploy for perceived legitimacy, as the name is commonly used across various cryptocurrency entities without tying to a specific individual or organization.
Victims seem concentrated among Russian cryptocurrency developers, based on exposed data from the command-and-control (C2) infrastructure, though confirmation of npm as the exact infection vector remains pending.
This geographic targeting, combined with the C2 server’s location in the United States, raises questions about potential state-sponsored involvement, highlighting an unusual cross-border dynamic in cyber threats.
Unique Attack Characteristics
Delving into the technical mechanics, the packages’ manifests feature a “bin” key that invokes the dist/universal-launcher.cjs file, serving as the entry point for malicious execution.
This launcher script, along with other JavaScript files in the dist folder, is heavily obfuscated, a clear indicator of evasion tactics.
Upon deobfuscation, the universal-launcher.js reveals environmental data collection, including username, working directory, and installation method, alongside interactions with local Node.js and npm environments a hallmark of evolving threat actor sophistication.
Console logs incorporating emojis suggest the code may have been generated using AI tools like Anthropic’s Claude, adding a layer of modernity to the attack’s development process.
The script then spawns a background process from index.js or index.cjs, ensuring persistence.
The core payload in index.js conducts a comprehensive file scan across the victim’s system, targeting directories such as the home folder, Documents, Downloads, and Desktop, as well as additional Windows drives.
It hunts for files with extensions like .env, .json, .one, .one1, .one2, and .txt, employing regular expressions to extract potential cryptocurrency tokens, wallet credentials, and exchange login details.
Exclusions for directories like node_modules and .git prevent unnecessary noise and detection.
Collected data is bundled into a JSON object and exfiltrated to the C2 server at IP address 209.159.159.198 on port 3000, which hosts a Windows Server 2022 instance with an active RDP service and a web interface exposing victim files.
According to the report, Shodan scans confirm the server’s U.S. hosting, and the web endpoint inadvertently reveals compromised assets, including password files and crypto credentials, providing rare visibility into the backend operations.
What sets this campaign apart is its blend of AI-assisted code generation, nuanced npm/Node interactions for payload delivery, and the geopolitical intrigue of U.S.-based C2 targeting Russian victims.
This reflects a maturing threat landscape where actors leverage open-source ecosystems for infostealer deployment, emphasizing the need for rigorous package vetting in cryptocurrency development workflows.
Indicators of Compromise (IOCs)
| Category | Details |
|---|---|
| NPM Packages | solana-pump-test, solana-spl-sdk, solana-pump-sdk |
| File Hashes | bd93bea65242bc8205728f129c9bbadc694d849a028fc2d771f9ea60a293665c (./index.cjs) e6f75dbf6d42e4c34b1a267426accd6dfd3ea7773a28e580c10687768fcc3883 (./index.js) ed5b9c8bfede0668a240e976e65a46e2dd393ef597c7068c1bb842173ae51ebb (./install.cjs) 233a408bbcd072236d9331792356ed0b59da5a4c51e3ca74f860a4bf1a621c15 (./install.js) 21a6135067c3f150a4629e4746c8b81c5b41567117eeaf69224a1919077521d9 (./universal-launcher.cjs) |
| Email Addresses | [email protected] |
| IP Addresses | 209.159.159.198 |
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
