August 11, 2024 at 06:27AM
Researchers found a malicious package on PyPI that poses as a Solana blockchain library to steal user secrets. The fraudulent “solana-py” package was downloaded 1,122 times before being removed. It mimicked the legitimate “solana” package and harvested wallet keys. The attack highlights supply chain risks and the abuse of legitimate services for malicious activities.
Based on the meeting notes, the key takeaways are:
1. A malicious package named “solana-py” was discovered on the Python Package Index (PyPI), masquerading as a legitimate library from the Solana blockchain platform.
2. The malicious package was designed to steal victims’ secrets by harvesting Solana blockchain wallet keys from the system and exfiltrating the information to a Hugging Face Spaces domain (“treeprime-gen.hf[.]space”).
3. The rogue package aimed to trick users into downloading it by using the same version numbers as the legitimate “solana” package.
4. The attack campaign posed a supply chain risk, as legitimate libraries like “solders” made references to “solana-py” in their PyPI documentation, potentially leading to developers mistakenly downloading the malicious package.
5. The disclosure also highlighted the presence of hundreds of thousands of spam npm packages on the registry containing markers of Tea protocol abuse, with steps being taken to remediate the issue.
Please let me know if there’s anything else you would like to add or if there are specific action items to be derived from this information.