Someone's poking the bear with infostealers targeting Russian crypto developers

Researchers at software supply chain security outfit Safety think they’ve found malware that targets Russian cryptocurrency developers, and perhaps therefore Russia’s state-linked ransomware crews

Safety’s head of research Paul McCarty last week revealed his discovery of npm packages that he wrote “targeted the Solana cryptocurrency ecosystem and pretend to ‘scan’ for Solana SDK components.”

The threat actor uses the handle “cryptohan”, which McCarty says is familiar in the crypto community, and used by “multiple people and multiple companies.”

“We suspect the use of this name is just to provide the illusion of legitimacy rather than pretending to be a specific person or personality,” he added.

That veneer of credibility helps this threat actor to convince Solana devs to implement packages called “solana-pump-test” and “solana-spl-sdk” that reside on the npm Registry, a collection of open-source code favored by JavaScript devs.

The packages are infostealers that search for information ...