Cyber security news for all

More

    Malevolent PyPI Library Deceives Solana Users, Purloins Blockchain Wallet Keys

    Cybersecurity specialists have unearthed a nefarious package lurking within the Python Package Index (PyPI) repository, cunningly disguised as a legitimate library from the Solana blockchain platform, yet clandestinely engineered to pilfer victims’ confidential data.

    “The authentic Solana Python API project is recognized as ‘solana-py’ on GitHub, but simply labeled ‘solana’ on PyPI,” Sonatype analyst Ax Sharma detailed in a report published last week. “This subtle discrepancy in nomenclature has been exploited by a malicious actor who uploaded a counterfeit ‘solana-py’ project onto PyPI.”

    The malevolent “solana-py” package managed to accumulate a total of 1,122 downloads since its debut on August 4, 2024. It has since been eradicated from PyPI.

    What stands out most about this library is that it paraded version numbers 0.34.3, 0.34.4, and 0.34.5. The most recent version of the legitimate “solana” package is 0.34.3. This strikingly indicates an endeavor by the adversary to mislead users searching for “solana” into unwittingly retrieving “solana-py” instead.

    Furthermore, the rogue package appropriates genuine code from its legitimate counterpart but surreptitiously injects additional malicious code into the “init.py” script, which is tasked with extracting Solana blockchain wallet keys from the target system.

    This sensitive data is then covertly transmitted to a Hugging Face Spaces domain controlled by the perpetrator (“treeprime-gen.hf[.]space”), once again highlighting the recurring trend of threat actors exploiting legitimate services for their nefarious aims.

    This attack campaign introduces a significant supply chain vulnerability, as Sonatype’s investigation uncovered that legitimate libraries like “solders” inadvertently reference “solana-py” in their PyPI documentation. This could easily result in developers mistakenly downloading “solana-py” from PyPI, thereby broadening the attack vector.

    “In essence, if a developer employing the legitimate ‘solders’ PyPI package in their application is misled by the documentation into falling for the typosquatted ‘solana-py’ project, they would unknowingly embed a crypto-stealer into their software,” Sharma elucidated.

    “This would not only compromise their own sensitive data but also that of any user running the developer’s application.”

    This revelation coincides with Phylum’s disclosure of hundreds of thousands of spam npm packages on the registry, which bear the hallmarks of Tea protocol exploitation—a campaign first brought to attention in April 2024.

    “The Tea protocol project is actively taking measures to address this issue,” the supply chain security firm announced. “It would be unjust for legitimate Tea protocol participants to have their earnings diminished due to the fraudulent activities of others. Moreover, npm has begun removing some of these spammers, but the removal rate does not yet match the influx of new publications.”

    Recent Articles

    Related Stories