Skip to main content Tech Radar Pro Tech Radar Gaming Tech Radar Pro TechRadar the business technology experts Search TechRadar View Profile België (Nederlands) Deutschland North America US (English) Australasia New Zealand Expert Insights Website builders Web hosting Best web hosting Best office chairs Best website builder Best antivirus Expert Insights Recommended reading More popular npm packages hijacked to spread malware NPM users warned dozens of malicious packages aim to steal host and network data North Korean hackers release malware-ridden packages into npm registry Npm package with millions of downloads is at risk from malware hijacking Misspelled a site's name? Cybercriminals are exploiting this to infect your computer with malware - here's how to stay safe Public DevOps tools targeted by criminals to steal crypto Popular NPM packages with over a million downloads hit by malware Are they brave or stupid? Malware targeting Russian crypto hackers found Sead Fadilpašić 18 August 2025 Researchers found malware hiding in npm packages When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Migliori Bitcoin wallet (Image credit: Shutterstock / Wit Olszewksi) Researchers uncover two packages carrying an infostealer The victims are apparently Russian, and attackers American This prompted the researchers to speculate if the targets were Russian crypto hackers Two malicious packages were recently discovered on the npm package manager platform targeting software developers on the Solana ecosystem. However the discovery, attribution, and potential targets of the malware have made researchers speculate if this was a state-sponsored attack. Solana is a blockchain designed for decentralized applications and cryptocurrencies. It is similar to Ethereum in many aspects, which is why it is often described in the crypto community as the “Ethereum killer”. You may like More popular npm packages hijacked to spread malware NPM users warned dozens of malicious packages aim to steal host and network data North Korean hackers release malware-ridden packages into npm registry Targeting devs? Or hackers? Or both? Recently, security researchers from Safety found two npm packages: “solana-pump-test” and “solana-spl-sdk”. Both were submitted by the same author, and both contained identical code - and according to Safety, when these packages were installed, they ran scripts that exfiltrated sensitive information from compromised devices, including private keys that granted the attackers access to crypto funds. Safety says that the victims - the developers that downloaded and ran the infostealers - were located in Russia. The attackers, on the other hand, seem to be located in the United States, based on the IP addresses where the exfiltrated data was relayed. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. These things were enough for the researchers to ask if this was a US-backed threat actor targeting Russia, probably due to currently strained geo-political relations between the two powers. But npm, as a platform, is not Russian, or managed by the Russians. The npm platform is run by npm, Inc., a company that was originally independent but is now a subsidiary of GitHub, which itself is owned by Microsoft. Still, Russia has multiple state-sponsored and affiliated threat actors known to target cryptocurrency users, or large enterprises which are then forced to make ransom payments in crypto. Groups such as Evil Corp, Sandworm, and APT28 (Fancy Bear) have been linked to campaigns that either exfiltrate cryptocurrency or deploy ransomware for financial gain. Therefore, it is not too far-fetched to speculate if this attack was aimed at crypto criminals, as well as regular crypto developers. Via The Register You might also like Crypto hacker steals $14.5 billion in Bitcoin using a gaming PC and nobody notices for five years Take a look at our guide to the best authenticator app We've rounded up the best password managers Sead Fadilpašić Social Links Navigation Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications. You must confirm your public display name before commenting Please logout and then login again, you will then be prompted to enter your display name. More popular npm packages hijacked to spread malware NPM users warned dozens of malicious packages aim to steal host and network data North Korean hackers release malware-ridden packages into npm registry Npm package with millions of downloads is at risk from malware hijacking Misspelled a site's name? Cybercriminals are exploiting this to infect your computer with malware - here's how to stay safe Public DevOps tools targeted by criminals to steal crypto Latest in Security Hackers breach HR firm Workday - is it the latest Salesforce CRM attack victim? Plex warns users to update systems immediately after detecting worrying security issue - here's what we know Cisco warns of worrying major security flaw in firewall command center, so patch now A shocking amount of companies are knowingly shipping insecure code - and it might be hard to recover Malicious URLs and phishing scams remain a constant threat for businesses - here's what can be done Colt forced to take services offline following apparent cyberattack Latest in News Netflix confirms November release for Guillermo del Toro's Frankenstein –here's how I plan on watching it sooner Fallout season 2 gets cryptic first-look images ahead of possible release date and trailer reveals at Gamescom 2025 NordVPN is killing Meshnet – here's all we know Bug in Windows 11 update reportedly breaks some SSDs - here's what you need to know The best Terence Stamp movie of all time is streaming for free, but you need to be quick Hackers breach HR firm Workday - is it the latest Salesforce CRM attack victim? LATEST ARTICLES Early Labor Day sales are already live – here are 7 deals that I'd shop for right now Act fast – get an extra $100 gift card with your fiber internet in AT&T's latest flash sale A shocking amount of companies are knowingly shipping insecure code - and it might be hard to recover Get your website up and running with 10% off Squarespace website builder Netflix confirms November release for Guillermo del Toro's Frankenstein –here's how I plan on watching it sooner TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site. Contact Future's experts Terms and conditions Privacy policy Cookies policy Advertise with us Web notifications Accessibility Statement Future US, Inc. Full 7th Floor, 130 West 42nd Street, Please login or signup to comment Please wait...