Cybersecurity researchers recently uncovered a malicious package on the Python Package Index (PyPI) repository that pretends to be a library from the Solana blockchain platform. This package, however, is designed to steal sensitive information from its victims.
Researchers at Sonatype reported that the legitimate Solana Python API project is known as “solana-py” on GitHub and simply “solana” on PyPI. This minor naming discrepancy was exploited by a threat actor who published a fake “solana-py” project on PyPI. The malicious package, which attracted a total of 1,122 downloads since its publication on August 4, 2024, has since been removed from PyPI.
Exploiting Naming Discrepancies
The threat actor behind the rogue package took advantage of the similarity in names to deceive users searching for the legitimate “solana” package. The malicious library carried version numbers 0.34.3, 0.34.4, and 0.34.5, with the latest legitimate version being 0.34.3. This tactic was clearly intended to trick users into downloading the counterfeit package instead of the authentic one.
Moreover, the rogue package contained the actual code from the genuine Solana library but included additional malicious code in the “init.py” script. This code was responsible for harvesting Solana blockchain wallet keys from the system and exfiltrating this information to a domain operated by the threat actor, “treeprime-gen.hf[.]space.” This incident highlighted how cybercriminals are abusing legitimate services for malicious purposes.
Supply Chain Risk and Broader Implications
The attack posed a significant supply chain risk. Sonatype’s investigation revealed that legitimate libraries, such as “solders,” referenced “solana-py” in their PyPI documentation. This created a scenario where developers could mistakenly download the malicious “solana-py” package from PyPI, inadvertently broadening the attack surface.
The report indicated that if a developer using the legitimate “solders” PyPI package was misled by the documentation to download the typosquatted “solana-py” project, they would inadvertently introduce a crypto stealer into their application. This would not only compromise their secrets but also those of any user running the developer’s application.
Wider Context of Supply Chain Security
This disclosure came alongside reports from Phylum about identifying hundreds of thousands of spam npm packages on the registry containing markers of Tea protocol abuse. This campaign first came to light in April 2024. The supply chain security firm noted that the Tea protocol project was taking steps to address this problem. It emphasized the importance of not penalizing legitimate participants in the Tea protocol by reducing their remuneration due to system scammers. Additionally, npm has begun to remove some of these spammers, although the takedown rate does not match the new publication rate.
This incident underscored the critical importance of vigilance and thorough vetting in the open-source software community. The malicious “solana-py” package’s ability to infiltrate the PyPI repository and deceive users highlights the ongoing challenges in securing the software supply chain. Developers must be cautious and verify the authenticity of packages before integrating them into their projects. This vigilance is especially crucial in environments where slight variations in naming can lead to significant security breaches.
In conclusion, the discovery of the malicious “solana-py” package serves as a stark reminder of the evolving threats in the cybersecurity landscape. It emphasizes the need for continuous monitoring, improved security measures, and heightened awareness among developers to safeguard against such deceptive attacks. As the open-source community continues to grow and evolve, maintaining the integrity and security of software repositories like PyPI and npm remains a top priority.
