A new infostealer campaign has been discovered that has a political flavor, with cybersecurity experts questioning whether it might be a state-sponsored actor.
Safety, a software supply chain security specialist, has found a threat campaign, dubbed Solana-Scan, that is targeting the Solana (SOL) blockchain ecosystem and, at the same time, appears to be aimed at Russian crypto developers.
The campaign utilizes malicious NPM (Node Package Manager) packages that pretend to scan the Solana software development kit (SDK) but, in reality, are designed to distribute infostealer malware.
According to the findings, it scans the compromised system for files including the user's home directory, Documents, Downloads, Desktop, and additional drives on Windows, while attempting to identify potential crypto assets to steal.
Safety has found two packages in the NPM registry, "solana-pump-test" and "solana-spl-sdk," that were attributed to a person with the widely used handle "cryptohan" and the crypto2001813@gmail[.]com email address.
"We suspect the use of this name is just to provide the illusion of legitimacy rather than pretending to be a specific person or personality," the security researchers said.
The first package was published on August 15th and had 14 versions in ten hours.
Meanwhile, the data the researchers found in a web C2 server, or command-and-control server used by attackers showed IPs located in Moscow.
However, Safety adds that they haven't been able to verify whether these IPs belong to people compromised by the Solana-Scan attack, or whether NPM packages were the vector of compromise.
As the C2 appears to be in the US and the victims appear to be in Russia, security researchers wonder whether a state-sponsored actor is behind the Solana-Scan campaign. In addition, they’ve found that the malicious JavaScript payload has signs, such as emojis in the console.log messages, that it was written with generative AI tools like Claude.
Your email address will not be published. Required fields are markedmarked