Cybersecurity researchers discovered a malicious software package. It was found on the Python Package Index, also known as PyPI. The package purported to be an application related to Solana. However, it contained hidden malicious functionality. Its actual aim was to steal valuable source code. It also sought to exfiltrate developer secrets from machines. Named “solana-token,” this package is no longer downloadable. It had been downloaded 761 times before its removal. It was first published to PyPI in early April 2024. It initially used an entirely different version numbering scheme.
When installed, this malicious package attempts data exfiltration. It tries to send source code and developer secrets. These are sent to a hard-coded IP address. ReversingLabs researcher Karlo Zanki detailed this in a report. This report was shared with The Hacker News. The package copies source code from all files present. These files are located in the Python execution stack. This theft is disguised as a blockchain function. This function is named “register_node().” This unusual activity targets sensitive crypto-related secrets. Attackers specifically seek secrets hard-coded in early programming. This occurs when developers incorporate the malicious function.
The threat actors behind this package likely targeted developers.
More specifically, those looking to create their own blockchains were targets. This assessment is strongly based on the package name. The specific functions built into the package also support this. The exact method of its distribution is currently not known. However, it was probably promoted via developer-focused platforms. This discovery underscores a persistent and concerning fact. Cryptocurrency continues to be one of the most popular targets. Supply chain threat actors frequently focus on these valuable projects.
This incident highlights the critical need for developer vigilance.
Developers must take steps to scrutinize every package. This scrutiny should happen before any package is used. Karlo Zanki emphasized that development teams must aggressively monitor. They should look for suspicious activity or unexplained changes. This applies to both open source and commercial third-party software modules. Stopping malicious code early is extremely important. It must be halted before it can penetrate secure development environments. By doing so, teams can prevent destructive supply chain attacks.
Reference:
