Analysis Summary

A new malicious program that poses as a library from the Solana blockchain platform but is intended to steal victims' secrets has been found by cybersecurity researchers on the Python program Index (PyPI) repository.

The official project behind the Solana Python API is called 'solana-py' on GitHub, however, it goes by just 'solana' in the PyPI Python software registry. A threat actor has taken advantage of this minor naming mismatch by posting a 'solana-py' project on PyPI. Since its release on August 4, 2024, the malicious 'solana-py' package has been downloaded 1,122 times. The PyPI download for it is no longer available.

The researchers noticed that the library's version numbers—0.34.3, 0.34.4, and 0.34.5—are what stand out the most. The official 'solana' package is currently at version 0.34.3. This blatantly shows that the threat actor is attempting to fool anyone searching for 'solana' into unintentionally downloading 'solana-py' instead. Furthermore, the rogue package modifies the '__init__.py' script, which is in charge of extracting the system's Solana blockchain wallet keys, by using the genuine code from its counterpart.

The threat actor then uses this information to exfiltrate it to a Hugging Face Spaces domain, demonstrating once more how threat actors misuse trustworthy systems for malevolent ends. The attack campaign presents a risk to the supply chain because legitimate libraries such as 'solders' refer to 'solana-py' in their PyPI documentation. This could have resulted in an incident where developers downloaded 'solana-py' by mistake from PyPI, thereby increasing the attack surface.

Put otherwise, if a developer incorporates the official 'solders' PyPI package into their program and gets duped (via solders' documentation) into believing that the typosquatted 'solana-py' project is authentic, they can unintentionally add a crypto stealer to their application. Not only would their secrets be stolen, but also those of every user that runs the developer's application.

The revelation coincides with the discovery of hundreds of thousands of spam npm packages on the registry that have Tea protocol abuse indicators in them. The campaign was originally discovered in April 2024. To address this issue, the Tea protocol project is working on solutions. Reducing the compensation of those who are real Tea protocol participants due to fraudulent activity would be unjust. Furthermore, npm has started to remove some of these spammers; however, the removal rate differs from the new publication pace.

Impact

• Sensitive Information Theft
• Cryptocurrency Theft

Remediation

• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly review the dependencies of your open-source projects and consider using package-lock files or version pinning to ensure that you're using trusted and verified packages.
• Use automated security scanning tools to analyze dependencies for known vulnerabilities or suspicious code.
• Provide training to developers and team members on secure coding practices, the risks of third-party dependencies, and the importance of code reviews.
• Implement access control measures on your code repositories to restrict who can contribute or make changes to the codebase.
• Maintain regular backups of your critical data to ensure data recovery in case of a security incident.
• Use antivirus and intrusion detection systems to help identify and block malicious activity.
• Implement network segmentation to limit the spread of malware or malicious activities within your network.
• Enforce strong password management practices for your systems and accounts.
• Implement MFA wherever possible to add an extra layer of security.
• Properly evaluate the Python code that you download before installing it onto your system.