The Solana‑Scan campaign has surfaced as a dangerous infostealer threat, masquerading as legitimate Solana SDK tools. It specifically targets Russian crypto developers via malicious npm packages—raising concerns about possible state-sponsored involvement.
How the Campaign Operates
Security firm Safety uncovered that the Solana‑Scan campaign used npm packages named “solana‑pump‑test” and “solana‑spl‑sdk”, published by an entity using the handle cryptohan and the email crypto2001813@gmail[.]com. These packages pose as benign Solana scanning tools but secretly install infostealer malware.
Once activated, the packages scan common user directories—like Documents, Downloads, Desktop, and additional drives—searching for potential crypto assets and sensitive files.
Targets, Operators & Speculation
Victim data points to Russian developers, and the packages are hosted on npm, the repository owned by Microsoft via GitHub. Security analysts noticed that the command-and-control (C2) servers handling the exfiltrated data are based in the U.S., suggesting geopolitical implications.
Paul McCarty, Safety’s Head of Research, hinted at possible state-backed motivations for these attacks, although clear evidence remains undisclosed.
Malware Behavior & AI Markers
Detailed investigations revealed that the malware may have been crafted using generative AI tools—developers noticed emojis embedded in console.log statements, hinting at AI-assisted code generation.
The attack is stealthy and strategic: it employs a two-stage payload. First, a launcher script profiles the system environment (usernames, directories, install modes), before deploying its main payload, which searches for sensitive files like .env, .json, and wallet key files.
Why This Matters
The Solana‑Scan campaign underscores the increasing sophistication of supply-chain and developer-targeted cyber threats—especially in the blockchain space. By mimicking trusted development tools, the attackers bypass security filters to directly access highly sensitive credentials and assets. This puts not just developers, but the broader Solana ecosystem, at heightened risk.
Conclusion
The Solana-Scan campaign is a chilling example of how threat actors exploit open-source trust—posing as useful SDK tools to compromise developer environments. With Russia seemingly targeted and U.S.-based infrastructure handling the stolen data, speculation about geopolitical motives continues. Developers must stay vigilant and audit npm dependencies carefully, especially in high-risk ecosystems like Solana.
0 responses to “Solana-Scan Campaign Targets Russian Crypto Developers”