- Malware known as “Solana-scan” has targeted Russian Solana developers, focusing on crypto credentials and tokens.
- The attack deploys malicious JavaScript packages on NPM under the username “cryptohan.”
- Researchers suggest U.S. state-sponsored actors may be responsible, given evidence linking command servers to U.S. IP addresses.
- Victims are Russian users and may include individuals connected to Ransomware activity.
- The malware’s code appears to have been partially created using generative AI tools.
Russian developers within the Solana Blockchain community have been targeted by a type of malware called “Solana-scan,” according to research from software supply chain security firm Safety. This infostealer malware gathers sensitive information related to cryptocurrency holdings and may be connected to efforts by U.S. state-sponsored actors.
Two packages, “solana-pump-test” and “solana-spl-sdk,” were released through the JavaScript registry NPM by someone using the handle “cryptohan.” These packages claim to scan for Solana SDK components but instead capture users’ crypto credentials and token ownership data. Safety’s Head of Research, Paul McCarty, highlighted that the stolen data is sent to command and control servers with U.S.-based IP addresses.
“Cryptohan” is a widely used nickname in the crypto space, likely chosen to make the packages appear legitimate, McCarty stated. He also emphasized that the malware’s victims are specifically users with Russian IP addresses. This detail, combined with the destination of stolen data, led McCarty to suggest the involvement of a “state-sponsored actor.”
According to coverage in The Register, these attacks may be aimed at individuals connected to Russian ransomware gangs. Such groups have previously targeted U.S. infrastructure and demanded cryptocurrency payments, as noted in statements from U.S. government sources, including a press release from the Department of the Treasury.
A unique aspect of the “Solana-scan” malware, according to McCarty, is that parts of its coding show signs of being developed with generative Artificial Intelligence tools. He explained that the JavaScript payload fits patterns associated with large language models such as Claude.
The research suggests an advanced malware campaign using both technical deception (fake package names) and modern coding techniques to reach its targets. The overall aim appears to be the theft of crypto credentials, with evidence pointing to an ongoing digital conflict between U.S. and Russian actors involving the broader blockchain and cryptocurrency sectors.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Ethereum ETFs See $197M Outflow as Unstaking Queue Hits $3.9B
- UK Drops Demand for Apple Encryption Backdoor After US Pushback
- Volkswagen Singapore Now Accepts Bitcoin for Car Payments
- Short-Term Bitcoin Holders Realize Losses as BTC Falls Below $115K
- Thailand Launches TouristDigiPay for Crypto-to-Baht Conversion
