CyberSecurity news
FlagThis
lucija.valentic@reversinglabs.com (Lucija@Blog (Main)
//
A malicious Python package named `solana-token` has been discovered on the Python Package Index (PyPI) targeting Solana developers. This rogue package, posing as a utility for the Solana blockchain, was designed to exfiltrate source code and developer secrets from compromised machines to a hard-coded IP address. The ReversingLabs research team uncovered this supply chain attack, highlighting the increasing trend of malicious actors targeting cryptocurrency projects. Before being taken down, the `solana-token` package was downloaded over 600 times, potentially distributed through developer-focused platforms.
The malicious package contained telltale signs of compromise, including hardcoded IP addresses, outbound communications to non-standard network ports, and code that reads local files, typical of information stealers. One insidious method employed by the package scanned the Python execution stack, copied, and exfiltrated source code contained in all the files in the execution chain to a remote server. The objective was to steal sensitive information such as developer secrets and hardcoded crypto credentials, which could grant attackers unauthorized access to cryptocurrency wallets and critical infrastructure.
This incident is not isolated, a previous package with the same name was published and removed in 2024, suggesting that the same malicious actors may be behind the new malicious version, said the report. Cybersecurity experts recommend that organizations respond to address the increasing number of supply chain threats targeting cryptocurrency projects by aggressively monitoring for suspicious activity and unexplained changes within open source and commercial, third-party software modules. By stopping malicious code before it is allowed to penetrate secure development environments, teams can prevent destructive supply chain attacks.
References :
The malicious package contained telltale signs of compromise, including hardcoded IP addresses, outbound communications to non-standard network ports, and code that reads local files, typical of information stealers. One insidious method employed by the package scanned the Python execution stack, copied, and exfiltrated source code contained in all the files in the execution chain to a remote server. The objective was to steal sensitive information such as developer secrets and hardcoded crypto credentials, which could grant attackers unauthorized access to cryptocurrency wallets and critical infrastructure.
This incident is not isolated, a previous package with the same name was published and removed in 2024, suggesting that the same malicious actors may be behind the new malicious version, said the report. Cybersecurity experts recommend that organizations respond to address the increasing number of supply chain threats targeting cryptocurrency projects by aggressively monitoring for suspicious activity and unexplained changes within open source and commercial, third-party software modules. By stopping malicious code before it is allowed to penetrate secure development environments, teams can prevent destructive supply chain attacks.
Share:
References :
- securityonline.info: PyPI Malware Alert: Malicious ‘solana-token’ Package Targets Solana Developers
- Blog (Main): Same name, different hack: PyPI package targets Solana developers
- securityonline.info: PyPI Malware Alert: Malicious ‘solana-token’ Package Targets Solana Developers
- The Hacker News: Malicious PyPI Package Posing as Solana Tool Stole Source Code
Classification:
- HashTags: #SupplyChainAttack #Cryptocurrency #Solana
- Company: ReversingLabs
- Target: Solana Developers
- Product: solana-token
- Feature: data exfiltration
- Malware: solana-token
- Type: Malware
- Severity: Medium