Cybersecurity experts have discovered a new malicious package on the Python Package Index (PyPI) repository that is designed to steal victims’ information. The program appears to be a library from the Solana blockchain platform.
Under the guise of a library from the Solana blockchain platform, cybersecurity experts have found a new malicious package on the Python Package Index (PyPI) repository that is intended to steal victims’ secrets.
According to a study released last week by Sonatype researcher Ax Sharma, “The legitimate Solana Python API project is known as’solana-py’ on GitHub, but simply’solana’ on the Python software registry, PyPI.” “This slight naming discrepancy has been leveraged by a threat actor who published a ‘solana-py’ project on PyPI.”
Since it was released on August 4, 2024, 1,122 people have downloaded the malicious “solana-py” package. PyPI is no longer offering downloads for it.
The library’s version numbers—0.34.3, 0.34.4, and 0.34.5—are what stand out the most. The official “solana” package is currently at version 0.34.3. This blatantly shows that the threat actor is attempting to fool anyone searching for “solana” into unintentionally downloading “solana-py” instead.
Furthermore, the rogue package modifies the “__init__.py” script, which is in charge of extracting the system’s Solana blockchain wallet keys, by using the genuine code from its counterpart.
The threat actor “treeprime-gen.hf[.]space” then uses this information to exfiltrate it to a Hugging Face Spaces domain, demonstrating once more how threat actors misuse trustworthy systems for malevolent ends.
The attack campaign presents a risk to the supply chain because, according to Sonatype’s investigation, legitimate libraries such as “solders” refer to “solana-py” in their PyPI documentation. This could have resulted in an incident where developers downloaded “solana-py” by mistake from PyPI, thereby increasing the attack surface.
“In other words, if a developer using the legitimate ‘solders’ PyPI package in their application is misled (by solders’ documentation) to fall for the typosquatted ‘solana-py’ project, they’d inadvertently introduce a crypto stealer into their application,” Sharma said.
“This would not only steal their secrets but those of any user running the developer’s application.”
The revelation coincides with Phylum’s announcement that it has discovered hundreds of thousands of spam npm packages on the registry that have Tea protocol abuse indicators in them. The campaign was originally discovered in April 2024.
“The supply chain security firm is taking steps to remediate this problem,” stated the Tea Protocol Project. “Reducing the compensation of those who are real Tea Protocol participants due to fraudulent activity would be unjust. Furthermore, npm has started to remove some of these spammers; however, the removal rate differs from the new publication pace.”
Also read: Achieving Rapid Outcomes with AI-Driven Cloud Analytics
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
