Password-stealing malware is being spread by hackers through NFT airdrops purporting to be Solana Phantom security updates.

For the last two weeks, unknown hackers have been airdropping nonfungible tokens (NFTs) to Solana cryptocurrency users masquerading as a new Phantom wallet security update, however, instead of an update, it’s malware designed to steal their crypto.

According to BleepingComputer, the hackers are claiming to be from the Phantom team and using NFTS titled “PHANTOMUPDATE.COM” or “UPDATEPHANTOM.COM.”

After opening the NFT, users are told a new security update has been issued for the Phantom wallet and can be downloaded by using the enclosed link or the listed website.

To add urgency, the message claims that failing to download the fake security update, “may result in a loss of funds due to hackers exploiting the Solana network.”

The fake NFTs being used to spread malware. Source: BleepingComputer

The urgency piece is likely related to the Solana-based wallet hack which saw roughly $8 million stolen from 8,000 wallets in August, including those of Phantom wallet users. The security exploit was later linked to vulnerabilities within the Solana-based Web3 wallet service Slope. 

Should a victim follow the fake Phantom update instructions, the process ends with malware being downloaded from GitHub which attempts to steal browser information, history, cookies, passwords, SSH keys and other information from the user. 

Users who may have inadvertently fallen prey to this scam are recommended to take security precautions such as scanning their computer with antivirus software, securing crypto assets, and changing passwords on sensitive platforms such as bank accounts and crypto trading platforms.

Related: Blockchain security firm warns of new MetaMask phishing campaign

In the past, similar malware-spreading campaigns have employed malware dubbed “Mars Stealer” to steal crypto from unsuspecting users.

An upgrade of the information-stealing Oski trojan of 2019, Mars Stealer targets more than 40 browser-based crypto wallets, along with popular two-factor authentication (2FA) extensions, with a grabber function that steals users’ private keys.