Fake Solana Tool on PyPI Targeted Developers, Stole Source Code

Security researchers have uncovered a nasty surprise lurking on the Python Package Index (PyPI): a malicious package disguised as a Solana blockchain application. This fake app was designed to steal source code and other sensitive secrets right from developers' machines.

The package, called solana-token, has since been removed from PyPI. But get this – before it was taken down, it was downloaded a whopping 761 times! It initially appeared on PyPI in early April 2024, sporting a rather unusual version numbering system.

"Once installed, the malicious package tries to sneak out source code and developer secrets from the developer's computer to a pre-set IP address," explained Karlo Zanki, a researcher at ReversingLabs, in a report shared with The Hacker News.

Specifically, the package secretly copies and sends out source code from all files in the Python execution stack, hiding behind what looks like a normal blockchain function called "register_node()."

Why all the secrecy? It seems these attackers were after valuable crypto-related secrets that developers might be hard-coding in the early stages of building their applications.

The target? Likely developers trying to create their own blockchains. That's the thinking, based on the package's name and what it was designed to do.

It's still unclear exactly how this malicious package was spread. However, it's suspected to have been promoted on platforms frequented by developers.

This incident highlights a growing trend: cryptocurrency continues to be a prime target for supply chain attacks. Developers need to be extra cautious and carefully examine every package before using it.

"Development teams need to be on high alert, constantly monitoring for suspicious activity or unexplained changes in both open source and commercial software," Zanki emphasized. "By catching malicious code before it gets into secure development environments, teams can prevent devastating supply chain attacks."