TZUTC: -0500   
   MSGID: 1378.consprcy@1:2320/105 2d08fd11   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Are they brave or stupid? Malware targeting Russian crypto hackers found   
      
   Date:   
   Mon, 18 Aug 2025 17:27:00 +0000   
      
   Description:   
   Researchers found malware hiding in npm packages downloaded by Russian crypto   
   developers.   
      
   FULL STORY   
      
   Two malicious packages were recently discovered on the npm package manager   
   platform targeting software developers on the Solana ecosystem.    
      
   However the discovery, attribution, and potential targets of the malware have   
   made researchers speculate if this was a state-sponsored attack.    
      
   Solana is a blockchain designed for decentralized applications and   
   cryptocurrencies. It is similar to Ethereum in many aspects, which is why it   
   is often described in the crypto community as the Ethereum killer.   
      
   Targeting devs? Or hackers? Or both?   
      
   Recently, security researchers from Safety found two npm packages:   
   solana-pump-test and solana-spl-sdk.    
      
   Both were submitted by the same author, and both contained identical code -   
   and according to Safety, when these packages were installed, they ran scripts   
   that exfiltrated sensitive information from compromised devices, including   
   private keys that granted the attackers access to crypto funds.    
      
   Safety says that the victims - the developers that downloaded and ran the   
   infostealers - were located in Russia.    
      
   The attackers, on the other hand, seem to be located in the United States,   
   based on the IP addresses where the exfiltrated data was relayed.    
      
   These things were enough for the researchers to ask if this was a US-backed   
   threat actor targeting Russia, probably due to currently strained   
   geo-political relations between the two powers.    
      
   But npm, as a platform, is not Russian, or managed by the Russians. The npm   
   platform is run by npm, Inc., a company that was originally independent but    
   is now a subsidiary of GitHub, which itself is owned by Microsoft.    
      
   Still, Russia has multiple state-sponsored and affiliated threat actors known   
   to target cryptocurrency users, or large enterprises which are then forced to   
   make ransom payments in crypto. Groups such as Evil Corp, Sandworm, and APT28   
   (Fancy Bear) have been linked to campaigns that either exfiltrate   
   cryptocurrency or deploy ransomware for financial gain.    
      
   Therefore, it is not too far-fetched to speculate if this attack was aimed at   
   crypto criminals, as well as regular crypto developers.    
      
    Via The Register   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/are-they-brave-or-stupid-malware-target   
   ing-russian-crypto-hackers-found   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426