A classy new menace marketing campaign has emerged focusing on cryptocurrency builders by way of malicious npm packages designed to steal delicate credentials and pockets info.
The assault, dubbed “Solana-Scan” by researchers, particularly targets the Solana cryptocurrency ecosystem by masquerading as reputable software program improvement kits and scanning instruments.
The marketing campaign facilities round a number of malicious npm packages, together with “solana-pump-test” and “solana-spl-sdk,” revealed by a menace actor utilizing the deal with “cryptohan” with the e-mail deal with crypto2001813@gmail[.]com.
These packages current themselves as superior Solana file scanning and add SDKs with multi-threading capabilities, intentionally mimicking reputable improvement instruments to deceive unsuspecting builders.
solana-pump-test and solana-spl-sdk (Supply – Security)
Security researchers recognized this menace marketing campaign by way of their malicious bundle detection know-how, discovering that the packages comprise closely obfuscated JavaScript payloads designed to reap cryptocurrency-related credentials and delicate recordsdata.
The malware particularly targets recordsdata with extensions together with .env, .json, .one, .one1, .one2, and .txt, utilizing common expressions to establish potential cryptocurrency tokens and pockets credentials saved on compromised methods.
The marketing campaign demonstrates a regarding development of menace actors leveraging the npm ecosystem to distribute subtle infostealers.
With over 17,000 recordsdata already collected in response to the uncovered command and management infrastructure, the assault seems to have achieved important attain throughout the focused developer group.
Notably troubling is the obvious give attention to Russian cryptocurrency builders, with sufferer IP addresses traced to Moscow, whereas the command and management server operates from a US-based infrastructure at IP deal with 209.159.159.198.
Multi-Stage An infection and Persistence Mechanism
The malware employs a classy multi-stage deployment technique that begins with the universal-launcher.cjs file, which serves because the preliminary entry level.
This launcher script performs in depth environmental reconnaissance, gathering system info together with the username, working listing, and npm set up mode.
Common-launcher.js Javascript (Supply – Security)
The code incorporates telltale indicators of AI-assisted technology, together with console.log messages with emojis and particular coding patterns in keeping with instruments like Anthropic’s Claude.
const _0x35a3f5 = course of.env.DETECTED_USERNAME;
const _0x459771 = course of.env.WORKING_DIR;
const _0x45a3ca = course of.env.NPM_INSTALL_MODE === “true”;
console.log(“🚀 Common Launcher NPM Set up Mode: ” + _0x45a3ca);
As soon as executed, the launcher searches for secondary payloads (index.js or index.cjs recordsdata) and launches them as background processes to keep up persistence.
The principle payload then conducts a complete file system scanning, focusing on person directories together with Paperwork, Downloads, and Desktop folders whereas intelligently excluding development-related directories reminiscent of node_modules and .git to keep away from detection.
The collected information is packaged into JSON format and exfiltrated to the command and management server, the place an uncovered net interface reveals the disturbing scope of the operation, displaying stolen recordsdata together with password databases, cryptocurrency trade credentials, and pockets recordsdata from compromised victims.
Increase your SOC and assist your workforce defend your corporation with free top-notch menace intelligence: Request TI Lookup Premium Trial.
