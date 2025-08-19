Malicious npm packages 'solana-pump-test' and 'solana-spl-sdk' uploaded by the threat actor 'cryptohan' enabled the exfiltration of cryptocurrency tokens and other data to U.S.-based command-and-control servers, a report from software supply chain firm Safety showed. Analysis of the C2 servers revealed cryptocurrency credentials, token wallet files, and password files, some of which are from Russia. Such findings have led Safety Head of Research Paul McCarty to suspect the npm packages to have been made by a state-backed actor. However, no additional evidence has been provided to support the theory. Moreover, various individuals and organizations have been noted to be using the 'cryptohan' name. "We suspect the use of this name is just to provide the illusion of legitimacy rather than pretending to be a specific person or personality," said McCarty.
Threat Intelligence, Supply chain
Malicious npm packages take aim at Russian crypto developers
(Credit: Araki Illustrations – stock.adobe.com)
Russian cryptocurrency developers have been targeted by illicit npm packages that purport to scan Solana SDK components, The Register reports.
Malicious npm packages 'solana-pump-test' and 'solana-spl-sdk' uploaded by the threat actor 'cryptohan' enabled the exfiltration of cryptocurrency tokens and other data to U.S.-based command-and-control servers, a report from software supply chain firm Safety showed. Analysis of the C2 servers revealed cryptocurrency credentials, token wallet files, and password files, some of which are from Russia. Such findings have led Safety Head of Research Paul McCarty to suspect the npm packages to have been made by a state-backed actor. However, no additional evidence has been provided to support the theory. Moreover, various individuals and organizations have been noted to be using the 'cryptohan' name. "We suspect the use of this name is just to provide the illusion of legitimacy rather than pretending to be a specific person or personality," said McCarty.
Malicious npm packages 'solana-pump-test' and 'solana-spl-sdk' uploaded by the threat actor 'cryptohan' enabled the exfiltration of cryptocurrency tokens and other data to U.S.-based command-and-control servers, a report from software supply chain firm Safety showed. Analysis of the C2 servers revealed cryptocurrency credentials, token wallet files, and password files, some of which are from Russia. Such findings have led Safety Head of Research Paul McCarty to suspect the npm packages to have been made by a state-backed actor. However, no additional evidence has been provided to support the theory. Moreover, various individuals and organizations have been noted to be using the 'cryptohan' name. "We suspect the use of this name is just to provide the illusion of legitimacy rather than pretending to be a specific person or personality," said McCarty.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds