Security researchers have uncovered malicious npm packages designed to steal sensitive data from developers in the Solana ecosystem. The victims appear to be based in Russia, while the attackers seem to originate from the United States, sparking speculation over possible state-sponsored involvement.

 Malicious Packages Uncovered

The packages, named “solana-pump-test” and “solana-spl-sdk,” were uploaded by the same author. Once installed, they executed scripts to steal private keys and other sensitive information, potentially granting access to crypto funds.

 U.S. vs. Russia?

Researchers noted that the exfiltrated data was routed to U.S.-based IP addresses. This has fueled theories that the operation might be tied to geopolitical tensions, with U.S. actors targeting Russian crypto developers—possibly even criminal groups.

 Solana Ecosystem in Focus

Solana, often called the “Ethereum killer,” is a popular blockchain platform for decentralized applications. Its prominence makes it a frequent target for cybercriminals. Russia, meanwhile, is home to several state-linked hacking groups that heavily exploit cryptocurrency for ransomware and financial gain.

 Bigger Picture

While npm itself is owned by GitHub (a Microsoft subsidiary), researchers warn that the incident highlights the ongoing risks developers face. Whether the attack was a geopolitical move or a crackdown on crypto criminals, it underscores how blockchain ecosystems remain a prime battlefield in global cyberwarfare.