Malicious Go Module Targets Solana Devs, Leaking Data to a “U.S.-Based” Server
Researchers have uncovered a new politically tinged campaign targeting the Solana blockchain ecosystem and, apparently, developers of cryptocurrency projects in Russia. Specialists at Safety, a company focused on securing software supply chains, identified a cluster of malicious NPM packages disguised as legitimate tools for working with the Solana SDK. In reality, they were delivering an infostealer—malware designed to harvest data from compromised devices.
The counterfeit packages, published under the names solana-pump-test and solana-spl-sdk, appeared in the official NPM registry and were attributed to an account with the alias cryptohan and the email crypto2001813@gmail[.]com. Analysts believe the pseudonym was selected to lend credibility and is not tied to a real individual. Notably, one of the packages received 14 updates within just ten hours of its release on August 15, signaling active refinement and a likely attempt by the operators to obscure their tracks.
Once installed, the packages initiated scans of key system directories—home, Documents, Downloads, Desktop, and attached drives on Windows—seeking both general user data and potential crypto assets. Exfiltrated information was transmitted to a command-and-control (C2) server located in the United States. However, investigators also traced IP addresses registered in Moscow within the attackers’ infrastructure, leaving it unclear whether these belonged to infected victims or reflected direct activity by the campaign’s operators.
The geopolitical dimension adds intrigue: infrastructure based in the U.S., but with victims reportedly concentrated in Russia. On this basis, researchers cautiously suggest the possible involvement of state-aligned actors.
Additional indicators point to the use of generative AI tools in crafting the malicious code. Console logs contained nonstandard messages featuring emojis—an unusual marker strongly suggestive of text generated by models such as Claude. Such stylistic quirks are atypical in manually written malicious JavaScript, bolstering the hypothesis of automated development techniques.
Dubbed Solana-Scan, the campaign highlights how the blockchain ecosystem is becoming an increasingly attractive target for cybercriminals. Malicious dependency packages remain a highly effective delivery vector for infostealers. For developers, this underscores the necessity of rigorously vetting external libraries and monitoring their sources, as even widely trusted registries cannot guarantee immunity from tampering.
