Solana-Scan Infostealer: Malicious NPM Packages Steal Wallet Keys

A cluster of malicious npm packages — cataloged by researchers as a targeted infostealer campaign dubbed “Solana‑Scan” — has been used to lure Solana ecosystem developers into installing backdoored SDKs that harvest wallet credentials, local keyfiles and a broad sweep of developer artifacts, then expose those stolen assets through an easily accessible command‑and‑control portal. The discovery, disclosed in mid‑August by supply‑chain researchers, shows a focused attack profile, heavy obfuscation, and operational tradecraft that blends supply‑chain abuse with developer‑facing social engineering — an evolution of earlier Solana‑themed npm incidents and a clear warning for every team that treats third‑party packages as trusted code.

Background​

A recent escalation in Solana‑targeting supply‑chain attacks​

The Solana ecosystem has been repeatedly abused by supply‑chain actors over the last 12 months, with high‑profile compromises of Solana libraries and dozens of Solana‑themed typosquats that exfiltrate keys or silently redirect funds. Past incidents included malicious versions of the widely used @solana/web3.js library and multiple packages that exfiltrated private keys via innocuous channels such as SMTP, or that siphoned funds by routing a tiny fraction of transactions to attacker addresses. These earlier cases established two important precedents: attackers will impersonate Solana tooling to gain developer trust, and they will favor exfiltration channels that look like legitimate traffic. (reversinglabs.com, socket.dev)
Supply‑chain threats are not limited to Solana. The JavaScript/npm ecosystem has seen numerous waves of typosquatting, account takeover and malicious package publication — incidents that highlight how quickly a compromised publish account or a convincing package listing can affect downstream projects and production systems. Community investigations and security vendor telemetry repeatedly flag social engineering and token misuse as recurring root causes.

What the latest discovery adds​

Researchers from an industry supply‑chain team reported three malicious packages published under a threat handle that appears as “cryptohan.” The packages — named to look like legitimate Solana SDK utilities — were observed delivering a two‑stage JavaScript payload: an initial launcher that enumerates the environment and an extensive second‑stage scavenger that searches user directories for wallet material, credential files and token artifacts. Socket and independent reporting corroborate the pattern: attackers publish convincing Solana tools, rely on developer adoption (or on GitHub projects that import the malicious package), and then extract key material and other secrets.

---

Overview of the Solana‑Scan campaign​

The lures: packages and impersonation​

The campaign’s packages used names and descriptions tailored to the Solana developer audience — for example, packages purporting to be Solana SDK scanners, pump/trading helpers, or SPL token utilities. This approach leverages developer hunger for tooling and the common practice of sampling or reusing small helper libraries from npm or GitHub during development.

• Observed malicious package names included solana‑pump‑test, solana‑spl‑sdk and similarly branded modules. These packages aimed to appear as legitimate SDK scanning tools or DeFi/“pump” utilities. (libraries.io, socket.dev)
• Researchers observed associated GitHub repositories and readme content that attempted to provide legitimacy. In multiple historical examples, attackers used GitHub projects to give a veneer of trust before the malicious package was pulled into user environments.

The payload: two stages and broad harvesting​

The malicious code uses a two‑stage execution model:

• The initial universal‑launcher script executes on install or require, performing environment reconnaissance: collecting usernames, working directory paths, npm install method, and other environment metadata that helps the operator understand the target context and select additional payload logic. This launcher is commonly heavily obfuscated to evade static detection and quick manual inspection.
• The second stage performs a targeted file sweep across user folders (Documents, Desktop, Downloads, project directories) looking for files with common secrets‑bearing extensions (.env, .json, .txt, .one and others) and using pattern matching/regexes to identify tokens, mnemonic phrases, keypairs and exchange credentials. When a match is found, files are aggregated and exfiltrated to the attacker’s C2. The payload also includes logic to selectively avoid discovery — for instance, acting only in certain geographic locales or skipping common honeypot indicators. (theregister.com, socket.dev)

Exfiltration and exposed telemetry​

Reportedly, stolen artifacts were sent to a remote service that served as the campaign’s command and control. Safety’s analysis — summarized in reporting — indicated that the C2 infrastructure surfaced harvested victim data via a web interface, which unusually allowed researchers to see the scale of the compromise and the types of victim files collected. Some research notes suggested victims were concentrated by geolocation in Moscow, Russia, prompting speculation about the campaign’s targeting. The presence of hosting infrastructure geolocated to the United States — if accurate — added complexity to early attribution.
Caveat: Some reporting names specific IP addresses and server details for the C2 infrastructure. Independent confirmation of particular IPs and exact host OSes is uneven across public sources; where a single outlet provides a precise network artifact, those claims should be treated as reported but not fully corroborated unless multiple independent telemetry feeds (Shodan, passive DNS, research blog dumps) confirm the mapping. In this case, public reporting confirmed the existence of a reachable C2 UI exposing victim files, but exact host fingerprints and IP ownership statements require further vetting.

---

Technical dissection​

Obfuscation and AI‑like artefacts​

Analysts noted heavy JavaScript obfuscation in the payloads. In one case, console diagnostic lines and emoji usage inside the script suggested the developer may have used AI‑assisted code generation (or at least left development artifacts typically produced by automated tools), which can complicate attribution and also indicate an adversary streamlining development with modern coding aids. Obfuscation combined with multi‑file bundling is designed to defeat casual code inspection and many signature‑based SCA scanners.

File targeting and heuristics​

The scavenger engine uses broad file searches plus targeted pattern matching for:

• Configuration and environment files (.env, *.json)
• Common wallet or secret file formats (keypair files, serialized JSON wallet exports)
• Plaintext notes and README/test scripts where developers sometimes paste private keys or mnemonic phrases
• Exchange credential formats and password dumps

Attackers use regex patterns to extract mnemonic seed phrases, base58‑encoded private keys used on Solana, API keys, and other token formats. The malware then compiles matched files for exfiltration. These heuristics make developer workstations — where keys and tokens are often present for testing — especially attractive.

Persistence and evasive behaviors​

Reported code shows attempts to evade cleanup and to persist in project structures (modifying project files so a simple node_modules removal may not fully purge the payload). Other historical Solana / npm malware has adopted “98% benign / 2% malicious” execution strategies to mask theft within predominantly normal behavior. The goal is to reduce suspicion and increase dwell time. (reversinglabs.com, socket.dev)

---

Indicators of Compromise (IOCs) and verification notes​

• Malicious package names observed: solana‑pump‑test, solana‑spl‑sdk, solana‑pump‑sdk (variants and similarly branded names). (libraries.io, socket.dev)
• Known aliases used by the publisher: cryptohan (threat handle).
• File hashes and exact payload checksums have been published in limited reporting; those artifacts should be cross‑checked against vendor telemetry and package tarballs prior to any automated blocking. Reported file hashes and specific install file names exist in some accounts, but independent corroboration of the full set of hashes remains incomplete in public feeds — treat single‑source hashes with caution until verified by multiple scanners.
• Network artifacts: some analyses reported exfiltration to external HTTP endpoints and, in prior Solana attacks, to SMTP channels (notably gmail SMTP abuse was used in earlier campaigns). The exact C2 IP addresses and host fingerprints reported in a single article are plausible but not yet corroborated by multiple independent telemetry sources in public datasets. Researchers should check enterprise IDS logs for connections to suspicious hosts or unexpected port 3000/HTTP traffic from developer workstations. (socket.dev, theregister.com)

Important verification note: several outlets reproduced the high‑level findings and package names; others published precise IOCs such as file hashes and C2 IPs. When implementing automated blocks, security teams should cross‑reference those IOCs against trusted vendor feeds (Snyk, Socket, vendor SIEM threat intel), and avoid blacklisting solely on a single blog post unless the posting is accompanied by verifiable telemetry. (security.snyk.io, socket.dev)

---

Attribution and targeting: what the evidence does — and does not — say​

Safety’s researchers observed that the visible exfiltrated victim data clustered by IP geolocation around Moscow, and that the C2 infrastructure appeared hosted on U.S.‑located infrastructure. From that combination, Safety’s lead researcher floated the possibility that the campaign might reflect deliberate targeting of Russian crypto developers — and even suggested the idea of a state‑linked or defensive operation as a hypothesis. However, researchers explicitly note there is no direct evidence proving state sponsorship; the signal could also indicate a criminal actor using U.S. hosting while operating against Russian targets, or simple coincidence in geolocation sampling. Attribution in supply‑chain campaigns remains difficult because attackers borrow code, hosting, and identities to frustrate tracing. Treat any attribution claims as provisional until multiple independent sources corroborate chain‑of‑custody evidence.

---

Detection challenges and why SCA / EDR can miss this​

• Supply‑chain installs run with developer privileges and often execute during build/test phases where endpoint monitoring is less strict. Package installers can run arbitrary JavaScript at install time (postinstall scripts), which many scanners do not execute during static policy checks. This makes runtime checks critical.
• Obfuscation and modular multi‑stage loaders defeat simple hash‑based detection; many SCA products scan tarballs statically but do not emulate runtime behavior. Attackers exploit this blind spot by hiding the active payload behind a launcher that assembles or fetches code dynamically.
• Exfiltration channels that blend with legitimate services — such as SMTP to gmail or outbound HTTPS to commonly allowed hosts — are less likely to trip perimeter rules. Earlier campaigns deliberately used Gmail SMTP because enterprise defenses commonly allow traffic to smtp.gmail.com.

---

Practical mitigation playbook for developers and security teams​

The following prioritized actions combine immediate containment steps with medium‑term platform hardening. Each step maps to realistic developer workflows and enterprise controls.

• Immediate triage (for any environment that may have installed suspicious Solana packages)
• Treat the host as compromised until proven otherwise: rotate any keys or tokens used on that machine (wallet keypairs, API keys, SSH keys), from a known‑good environment.
• Isolate affected machines from the network and preserve forensic artifacts (npm cache, node_modules, package lockfile, system logs). Capture memory if possible.
• Search source trees and user directories for known IOC filenames, suspicious tarballs and any unexpected postinstall scripts in package.json.
• Scanning and detection
• Deploy runtime package scanners that evaluate postinstall and require‑time behaviors, not just static tarball contents. Use vendor feeds (Socket, Snyk, OSS Rebuild outputs) to augment blocklists and detection rules. (socket.dev, security.snyk.io)
• Monitor outbound connections from developer endpoints for unusual SMTP/HTTPS destinations, especially to hosts not in corporate allowlists.
• Developer hygiene and policy changes
• Pin third‑party dependencies via lockfiles and enforce immutability for production builds. Avoid upgrading transient dependencies without review.
• Run all third‑party scripts in ephemeral, sandboxed environments (e.g., ephemeral containers or dedicated CI agents) and never in the same host that stores long‑term keys or credentials.
• Use hardware‑backed 2FA and rotation for package registry accounts and avoid shared long‑lived publish tokens. Limit token scope to the minimum necessary.
• Build and release hardening
• Adopt reproducible build or provenance checking (OSS Rebuild style) so published artifacts can be validated against source. This prevents stealthy binary drops that differ from the source tarball.
• Integrate SBOMs and continuous SCA checks into CI, and require explicit approval for dependency updates that touch production tooling.
• Operational response improvements
• Maintain a curated allowlist of approved package maintainers for internal tooling and require multi‑person approval before adding new dev dependencies to shared repos.
• Build playbooks for key rotation, incident notification to downstream users and public disclosure — swift, transparent action reduces the window of exploitation.

---

Why this matters: developer workstations are high‑value targets​

Developer laptops and CI agents are troves of secrets: private keys, authority tokens, cloud secrets and signing keys. When those hosts are compromised, attackers can move from individual theft to organizational breach. Solana‑Scan’s design — scanning user folders for wallet and credential formats — is optimized to extract the most valuable artifacts a developer stores, and to do so quietly. The supply‑chain vector gives attackers a broad reach with minimal direct phishing, allowing them to scale impact across multiple organizations or open‑source contributors.

---

Reporting and responsible disclosure notes​

Researchers who discover malicious packages should coordinate takedowns and share IOCs through established vendor feeds and registry abuse channels. Security teams should prioritize cross‑validation of IOCs: a package reported by one blog is actionable only after corroboration by a vendor scan, GitHub advisory, or an independent telemetry feed. Where possible, publish minimal reproducible artifacts (package tarball hashes, succinct YARA/JS rules for common indicators) to enable automated blocking without over‑reliance on a single prose report. (github.com, socket.dev)

---

Critical analysis — strengths and risks of the campaign and the defensive posture​

• Notable strengths of the campaign
• Targeted social engineering: by masquerading as Solana SDK helpers, the packages exploit the high trust developers place in small utilities.
• Execution model: two‑stage obfuscation reduces static detectability and increases the chance a developer will run the code before detection.
• Blended exfiltration: using commonly allowed channels (Gmail SMTP or standard HTTPS) undermines many perimeter defenses.
• Defensive gaps revealed
• Static SCA alone is insufficient: packages that execute postinstall hooks or fetch dynamic payloads can evade static scanning.
• Poor token hygiene and weak publish protections on package registries continue to enable account takeover and unauthorized publishing.
• Inadequate separation between developer test environments and production secrets leaves organizations vulnerable.
• Attribution and geopolitical implications
• While geographic indicators and hosting choices raised speculation about targeted operations against Russian developers, the public evidence remains circumstantial. Attribution without multiple independent confirmations is risky; defenders should triage and mitigate regardless of actor identity.

---

Final takeaways​

The Solana‑Scan cluster is another potent reminder that the trust model of modern software is only as strong as the weakest human and technical control in the chain. Developers must treat third‑party packages with the same scrutiny applied to binary dependencies and container images. Security teams must pair static dependency checks with runtime monitoring, network egress controls and strong credential hygiene. Operationally, the clearest defense is to reduce the value of any single host by isolating development environments, rotating and narrowing scopes for keys/tokens, and adopting reproducible, provable build processes.
The campaign’s techniques — obfuscated launchers, staged scavengers, and use of developer‑facing social engineering — will reappear in other tooling ecosystems unless the community raises the baseline for registry verification, publish token security and developer runtime monitoring. Short of eliminating open‑source risk, practical controls and disciplined developer workflows can blunt impact and reduce the attacker’s window of opportunity. (socket.dev, reversinglabs.com)

---

Indicators, filenames, package names and hashes reported in some outlets are valuable starting points for defensive action, but they require cross‑validation against vendor telemetry before automated enforcement. Security teams should treat a reported compromise as a trigger for containment plus verification — not as an automatic, one‑source block — and invest in developer awareness, package provenance and runtime controls to prevent similar campaigns from succeeding.

---

Source: cyberpress.org Crypto Developers Targeted by Malicious npm Packages in Login Credential Heist