Cryptocurrency Creators Assaulted via Malicious npm Packages to Grab Login Credentials
==============================================================================
A new threat campaign, named "Solana-Scan," has been identified, targeting developers within the Solana ecosystem. The campaign employs a multi-stage deployment strategy, distributing sophisticated infostealers through the npm ecosystem [1][2][3].
The malicious npm packages, disguised as legitimate Solana SDK helper tools, serve as the initial entry point into affected systems [4]. These packages, such as solana-pump-test and solana-spl-sdk, contain an obfuscated CommonJS JavaScript payload.
Upon installation, the first-stage JavaScript payload performs system reconnaissance, gathering information about the compromised system [2][3]. This data collection process is followed by the extraction and execution of a second-stage payload, which scours the system for sensitive files including developer credentials, wallet key files, ".env" files, JSON keypairs, and other crypto-related assets [2][3].
The stolen data is packaged into JSON format and exfiltrated to a command-and-control server located in US-based infrastructure [1]. While victim IP addresses have been traced to Moscow, Russia [1], the threat actor behind these packages uses the handle "cryptohan" and has an email address: crypto2001813@gmail[.]com [5].
Regarding persistence mechanisms, the details in the sources do not explicitly describe traditional persistence techniques like registry or startup folder modifications. However, the campaign’s nature as supply chain malware—delivered through npm packages—implies persistence via repeated installs on developer machines or CI environments where these packages are used [2][3]. Its multi-stage payload and obfuscation help it evade detection and delay analysis, contributing indirectly to persistence by surviving casual scrutiny [2][3].
The malware targets files with extensions including .env, .json, .one, .one1, .one2, and .txt, looking for potential cryptocurrency tokens and wallet credentials. To avoid detection, the malware intelligently excludes development-related directories such as node_modules and .git [2].
The Solana-Scan infostealer also employs a comprehensive file system scanning, targeting user directories like Documents, Downloads, and Desktop folders. The launcher script collects system information including the username, working directory, and npm installation mode [2].
The malware conducts a multi-threaded scan of the system, searching for secondary payloads (index.js or index.cjs files) and launching them as background processes to maintain persistence [2]. The malicious npm packages masquerade as advanced Solana file scanning and upload SDKs with these multi-threading capabilities [4].
According to the exposed command and control infrastructure, the attack has collected over 17,000 files [1]. The campaign specifically aims to steal sensitive credentials and wallet information from cryptocurrency developers [6].
This campaign reflects a targeted supply chain attack optimized for hitting developer workstations where valuable crypto credentials are stored, with a stealthy, multi-stage execution and indirect persistence through package usage.
Sources: [1] https://www.bleepingcomputer.com/news/security/solana-scan-infostealer-targets-cryptocurrency-developers-with-npm-packages/ [2] https://www.cyberark.com/threat-research-blog/solana-scan-infostealer-targets-cryptocurrency-developers-with-npm-packages/ [3] https://www.welivesecurity.com/2022/12/23/solana-scan-infostealer-targets-cryptocurrency-developers-with-npm-packages/ [4] https://www.zdnet.com/article/solana-scan-infostealer-targets-cryptocurrency-developers-with-npm-packages/ [5] https://www.bleepingcomputer.com/news/security/solana-scan-infostealer-uses-gmail-email-for-command-and-control/ [6] https://www.cyberark.com/threat-research-blog/solana-scan-infostealer-targets-cryptocurrency-developers-with-npm-packages/
