Article Details

Someone's poking the bear with infostealers targeting Russian crypto developers. If you wanted to hurt Putin’s ransomware racketeers, these info-stealing npm packages are one way to do it. Researchers at software supply chain security outfit Safety think they’ve found malware that targets Russian cryptocurrency developers, and perhaps therefore Russia’s state-linked ransomware crews Safety’s head of research Paul McCarty last week revealed his discovery of npm packages that he wrote “targeted the Solana cryptocurrency ecosystem and pretend to ‘scan’ for Solana SDK components.” The threat actor uses the handle “cryptohan”, which McCarty says is familiar in the crypto community, and used by “multiple people and multiple companies.” “We suspect the use of this name is just to provide the illusion of legitimacy rather than pretending to be a specific person or personality,” he added. That veneer of credibility helps this threat actor to convince Solana devs to implement packages called “solana-pump-test” and “solana-spl-sdk” that reside on the npm Registry, a collection of open-source code favored by JavaScript devs. The packages are infostealers that search for information including possible cryptocurrency tokens, then send data to command and control servers (C2) that have IP addresses linked to the USA. Those servers expose plenty of info about compromised hosts, including password files, crypto exchange credentials, and crypto token wallet files. Some of that info seen by Safety’s researchers suggests victims of the infostealers appear to be in Russia. McCarty wonders if the combination of a US-linked C2 server and victims linked to Russia indicates these npm packages are the work of a state-sponsored actor. He offers no evidence for that theory, but the logic behind it is appealing as Kremlin-backed ransomware gangs and the affiliates who operate their wares usually demand payment in cryptocurrency – a practice many nations would like to deter if not halt outright. If anti-ransomware forces use a simple tactic like posting poisoned packages to the npm Registry to take out some players, that’s a win. It’s bad news, however, for those who use Solana as its developers intended – as the underpinning of decentralized apps and to record and enact smart contracts – or who use the SOL token for legitimate purposes. Those developers need to sanitize their software supply chains, and Safety is of course happy to help.