A sophisticated cyber threat campaign has recently emerged, specifically targeting cryptocurrency developers through the deployment of malicious npm (Node Package Manager) packages. These packages are meticulously crafted to steal sensitive credentials and wallet information, posing a significant risk to the security of the cryptocurrency development community.
Overview of the Attack
Dubbed Solana-Scan by cybersecurity researchers, this campaign focuses on the Solana cryptocurrency ecosystem. The attackers have published multiple malicious npm packages, notably solana-pump-test and solana-spl-sdk, under the alias cryptohan with the email address crypto2001813@gmail[.]com. These packages masquerade as legitimate software development kits (SDKs) and scanning tools, claiming to offer advanced file scanning and upload capabilities with multi-threading support. This deceptive presentation aims to lure developers into integrating these malicious packages into their projects.
Discovery and Analysis
The malicious nature of these packages was identified by Safety researchers through their advanced package detection technology. Upon analysis, it was discovered that the packages contain heavily obfuscated JavaScript payloads designed to harvest cryptocurrency-related credentials and sensitive files from compromised systems. The malware specifically targets files with extensions such as .env, .json, .one, .one1, .one2, and .txt, utilizing regular expressions to identify potential cryptocurrency tokens and wallet credentials.
Scope and Impact
The campaign has demonstrated a concerning trend of threat actors leveraging the npm ecosystem to distribute sophisticated information-stealing malware. According to exposed command and control infrastructure, over 17,000 files have already been collected, indicating significant reach within the targeted developer community. Notably, the attack appears to focus on Russian cryptocurrency developers, with victim IP addresses traced to Moscow. The command and control server operates from a US-based infrastructure at IP address 209.159.159.198.
Infection Mechanism and Persistence
The malware employs a multi-stage deployment strategy, beginning with the execution of a file named universal-launcher.cjs. This initial script performs extensive environmental reconnaissance, collecting system information such as the username, working directory, and npm installation mode. The code exhibits signs of AI-assisted generation, including console.log messages with emojis and specific coding patterns consistent with tools like Anthropic’s Claude.
Once executed, the launcher searches for secondary payloads (index.js or index.cjs files) and launches them as background processes to maintain persistence. The main payload then conducts a comprehensive file system scan, targeting user directories including Documents, Downloads, and Desktop folders, while intelligently excluding development-related directories such as node_modules and .git to avoid detection.
The collected data is packaged into JSON format and exfiltrated to the command and control server. An exposed web interface reveals the disturbing scope of the operation, displaying stolen files including password databases, cryptocurrency exchange credentials, and wallet files from compromised victims.
Broader Context of Supply Chain Attacks
This incident is part of a broader trend of supply chain attacks targeting the npm ecosystem. In recent years, there have been multiple instances where malicious packages have been used to compromise developers and organizations:
– Weaponized npm Packages Targeting JavaScript Frameworks: Hackers have used malicious npm packages to attack popular JavaScript frameworks like React and Node.js. These packages, downloaded over 6,200 times, masquerade as legitimate plugins while containing destructive payloads designed to corrupt data, delete critical files, and crash systems. The threat actor behind this campaign employed a dual strategy of publishing both harmful and helpful packages to build trust and increase the likelihood of their malicious code being installed. ([cybersecuritynews.com](https://cybersecuritynews.com/hackers-using-weaponized-npm-packages/?utm_source=openai))
– Lazarus Group’s Infiltration of npm and PyPI: The notorious Lazarus Group, believed to be linked to North Korea, successfully deployed 234 malicious packages across npm and PyPI ecosystems between January and July 2025. This state-sponsored operation exposed over 36,000 potential victims to advanced malware designed for long-term surveillance and credential theft. The malicious packages masqueraded as legitimate developer tools, exploiting the trust developers place in open-source ecosystems. ([cybersecuritynews.com](https://cybersecuritynews.com/lazarus-hackers-weaponized-234-packages/?utm_source=openai))
– Typosquatting Attacks on npm Developers: Over 280 malicious typosquat packages have been discovered targeting JavaScript developers using the npm ecosystem. These packages mimic the names of popular libraries such as Puppeteer and Bignum.js to deceive developers into installing them. Once installed, they execute malicious scripts designed to download and execute further malicious binaries on the victim’s machine. ([cybersecuritynews.com](https://cybersecuritynews.com/280-typosquat-malicious-packages-attacking-npm-developers/?utm_source=openai))
Recommendations for Developers
Given the increasing sophistication and frequency of these attacks, it is imperative for developers to adopt stringent security practices:
1. Verify Package Authenticity: Always verify the authenticity of npm packages before installation. Check the package’s download statistics, read user reviews, and inspect the code repository for any signs of malicious activity.
2. Monitor for Suspicious Activity: Regularly monitor network logs and system behavior for any unexpected activities or connections to unknown servers.
3. Implement Security Tools: Utilize security tools and services that can detect and alert you to malicious packages. Tools like npm audit can help identify vulnerabilities in your project’s dependencies.
4. Educate Development Teams: Ensure that all members of your development team are aware of the risks associated with third-party packages and are trained to recognize potential threats.
5. Regularly Update Dependencies: Keep all project dependencies up to date to benefit from the latest security patches and improvements.
By implementing these practices, developers can significantly reduce the risk of falling victim to malicious npm packages and protect their projects and sensitive information from compromise.
