- Researchers discover two packages carrying an infosteator
- The victims are apparently Russian and the American attackers
- It prompted researchers to speculate if the targets were Russian crypto hackers
Two malicious packages were recently discovered on the NPM Package Manager platform targeting software developers on the Solana ecosystem.
However, the discovery, the attribution and the potential targets of malicious software made the researchers speculate if it was an attack sponsored by the state.
Solana is a blockchain designed for decentralized applications and cryptocurrencies. It is similar to Ethereum in many aspects, which is why it is often described in the cryptographic community as the “Ethereum killer”.
Target developers? Or hackers? Or both?
Recently, security researchers have found two NPM packages: “Solana-Pump-Test” and “Solana-SPL-SDK”.
The two were submitted by the same author, and the two contained an identical code – and according to security, when these packages were installed, they directed scripts which exfiltrated sensitive information from compromise devices, including private keys which granted attackers access to cryptographic funds.
Security indicates that the victims – the developers who downloaded and directed infostators – were located in Russia.
The attackers, on the other hand, seem to be located in the United States, on the basis of the IP addresses where the exfiltrated data was relayed.
These things were sufficient for the researchers to wonder if it was a threat player supported by the United States targeting Russia, probably due to the geopolitical relations that currently tend between the two powers.
But the NPM, as a platform, is not Russian or managed by the Russians. The NPM platform is directed by NPM, Inc., a company which was originally independent but which is now a subsidiary of Github, which itself belongs to Microsoft.
However, Russia has several actors of threats sponsored by the State and affiliated known to target users of cryptocurrency, or large companies which are then forced to make ransom payments in crypto. Groups such as Evil Corp, Sandworm and Apt28 (Fancy Bear) have been linked to campaigns that exfiltrate cryptocurrency or deploy ransomware for financial purposes.
Consequently, it is not too eccentric to speculate if this attack aimed at cryptographic criminals, as well as the developers of regular cryptography.
Via The register
