RESEARCH
Research

Infostealer targets Russian crypto developers

Paul McCarty
10 mins
August 16, 2025

tl;dr

A new threat campaign “Solana-Scan” includes multiple malicious NPM packages targeting the Solana cryptocurrency ecosystem. These packages include a new infostealer malware that appears to target Russian cryptocurrency developers

The background

The Safety research team, empowered by the Safety malicious package detection technology, identified a threat actor publishing multiple malicious packages today.  These malicious packages targeted the Solana cryptocurrency ecosystem and pretende to "scan" for Solana SDK components. We have named this campaign "Solana-Scan".

Threat actor details

The threat actor, who used the email "crypto2001813@gmail[.]com" and goes by the handle “cryptohan” on NPM has two packages currently published on the NPM registry:  “solana-pump-test” and “solana-spl-sdk”:

The name “cryptohan” is used throughout the cryptocurrency ecosystem by multiple people and multiple companies.  We suspect the use of this name is just to provide the illusion of legitimacy rather than pretending to be a specific person or personality.

What do these malicious package do?

The first package published to NPM was the "solana-pump-test" package at 07.37 UTC.

The second package "solana-spl-sdk" was published at 19.34 UTC:

The Safety team also identified a third package, "solana-pump-sdk" that this threat actor recently removed from the NPM registry:

The package contents

If we inspect the package contents for both of these packages you’ll see they are effectively the same:

In the dist directory the files are exactly the same:

Let’s take a look at the package manifest file from one of the packages to see if it gives us any hints about how this package works.  Here’s the package.json file for the solana-pump-test package:

And here’s the package.json file for the solana-spl-sdk package:

"Solana-Scan"

Notice that both package.json files have a “bin”: key that calls the dist/universal-launcher.cjs file.

This “solana-scan” name doesn’t appear to be an existing or historical NPM package. It appears as though the threat actors are trying to make this package look like a legitimate "scanner" for the Solana SDK components. Why you need a "scanner" for that, we don't know.

Regardless, since this “solana-scan” name is referenced in both files, we are going to call this threat campaign “solana-scan”.

Let's analyze the source

If we continue to analyze the package.json files we can see that they both call the dist/universal-launcher.cjs file from the “main”: entrypoint.  This seems like a good place to start!

This file is heavily obfuscated.  In fact, all five of the javascript files in the dist folder are obfuscated:

This is a strong signal that we should drill in!  Let’s start by deobfuscating the universal-launcher.js Javascript:

First stage - universal-launcher.js

First thing we notice is that the universal-launcher.js script is pulling data from the local environment including username, working directory and the way that package was installed.  Later on this script extracts more data about the local node and NPM environments.  This is a reoccuring theme we’ve identified where mature threat actors are now interacting with NPM and node on compromised machines in a more nuanced way.

Also, you will notice the console.log messages with emojis.  This is a common sign that the code was written with a code generation AI tool like Anthropic’s Claude.

The first stage Javscript payload then searches for either index.js or index.cjs and when it finds one of those files found, it launches that second Javascript as a background process to maintain persistence.  This second stage is the main payload.

Main payload - index.js

The second part of the payload is the index.js file:

This Javascript scans the compromised system for files including the user's home directory,  Documents, Downloads, Desktop, etc, and additional drives on Windows.

It specifically looks for files with the following extensions: .env, .json, .one, .one1, .one2, .txt and then uses a set of regular expressions to identify potential cryptocurrency tokens in the

Interesting, it also has a list of directories to exclude, such as node_modules, .git, etc.

Command and Control (C2)

When its done collecting the data its after it wraps it all in a JSON blob and exfiltrates it to the IP address 209.159.159.198 port 3000.

If we search Shodan for that IP address we see that it appears to be hosted in the US:

There is an active RDP service running on a Windows Server 2022 instance on that IP address:

Web C2 details

If we browse to http://209[.]159[.]159[.]198:3000 we see a web service.

Unfortunately, you can see files and details about compromised hosts via the website hosted at the IP address. These files include password files, crypto exchange credentials, and crypto token wallet files amongs others.

It's unusual to get visibility into the C2 infrastructure behind threat campaigns like this one. The Safety team continues to monitor the website.

Victims appear to be Russian

If you look at the data exposed in the web c2 server you'll see IPs that are in Moscow, Russia. We have not been able to verify that these IPs belong to people that were compromised by the Solana-Scan attack, or that NPM packages were the vector of compromise.

What's unique about this attack

There are several things about this attack that stand out:

  • The C2 appears to be in the US and the victims appear to be in Russia. Is this a state sponsored actor? 
  • The Javascript payload has signs that it was written with generative AI tools like Claude
  • These packages share a trend of interacting with node and NPM to better deliver the malicious payload

The timeline:

The first package was published at 7.37 UTC on August, 15, 2025. In total 14 versions were published over 10 hours:

Indicators of Compromise (IOCs)

Based on my research this threat campaign has several IOCs you can look for:

NPM Packages:

solana-pump-test

solana-spl-sdk

solana-pump-sdk

Files

bd93bea65242bc8205728f129c9bbadc694d849a028fc2d771f9ea60a293665c  ./index.cjs
e6f75dbf6d42e4c34b1a267426accd6dfd3ea7773a28e580c10687768fcc3883  ./index.js
ed5b9c8bfede0668a240e976e65a46e2dd393ef597c7068c1bb842173ae51ebb  ./install.cjs
233a408bbcd072236d9331792356ed0b59da5a4c51e3ca74f860a4bf1a621c15  ./install.js
21a6135067c3f150a4629e4746c8b81c5b41567117eeaf69224a1919077521d9  ./universal-launcher.cjs

Email addresses:

crypto2001813@gmail[.]com

IP Addresses:

209[.]159[.]159[.]198

How can you protect your org from this kind of attack?

Existing security tools like SCA and EDR do not protect you from threats like the Solana-Scan attack. Fortunately, there are ways to protect both your developers and CI/CD pipelines form attacks like this one.

The world's first AI-powered Software Supply Chain Firewall analyzes every package request in real-time, automatically blocking malicious and vulnerable dependencies before installation. Stop supply chain attacks at their source while maintaining development velocity.

Read more about our exciting Firewall product!

Let us know if this blog post helped your org!

I hope you have enjoyed going down this rabbit hole with me. Remember to use the IOCs above.

Hit me up directly if you have any questions about this campaign.

Paul McCarty - Head of Research, Safety

You can find me on LinkedIn and BlueSky.

Related

Similar Posts

Post Image

Key Insights from Canada’s 2025-2026 Cyber Threat Assessment

Findings from the Canadian National Cyber Threat Assessment (NCTA) and actionable advice for developers, DevOps and SecOps professionals.

Post Image

Securing the Software Supply Chain for Python Developers (Part 2)

Learn why software supply chain security is essential for Python development today, and explore historical supply chain breaches like Log4j and SolarWinds, and how to protect against them.

Post Image

Safety CLI Team Uncovers Unpublished Vulnerability in TensorFlow: CVE-2023-33976

Safety's Cybersecurity Intelligence team discovered an unpublished vulnerability (CVE-2023-33976) in the TensorFlow Python package.

Post Image

Lessons from the Recent PyTorch Supply Chain Attack

A recent attack by ethical hackers on PyTorch, a popular Machine Learning library, is a stark reminder of the importance of securing software supply chains.

Post Image

Understanding the Security Vulnerability in the llama-cpp-python Package

A critical security vulnerability was discovered in the llama-cpp-python package, which could have significant implications for systems using this library.

Post Image

NVD Update Delays and the Impact on the Developer Community: Safety Cybersecurity's Proactive Response

NVD Update Delays and the Impact on the Developer Community: Safety Cybersecurity's Proactive Response

Secure your supply chain in 60 seconds.
No sales calls, no complex setup.
Just instant protection.

Get Started for Free
View Documentation
Arrow
CTA Graph
Supply Chain Security Research Updates

Stay informed on emerging threats, novel attack vectors, and vulnerability research from Safety's cybersecurity team. Technical analysis, not product updates.

By subscribing you agree to our Privacy Policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Products
Safety FirewallSafety CLISafety MCPSafety PlatformVulnerability Database
Resources
Research & BlogDocumentationIntegrationsPricing & PlansGitHub
Company
AboutCareersTrust Center
Legal
Terms of ServiceData ProcessingPrivacy PolicyManage Cookies
© 2025 Safety CLI Cybersecurity Inc. All rights reserved.
Privacy PolicyTerms of Service