Hackers often target the Solana Python API ecosystem to exploit vulnerabilities in decentralized applications, access private keys, or manipulate transactions on the Solana blockchain.
Recently the Solana Python API ecosystem was targeted by a typosquatting attack (tagged as sonatype-2024-3214).
The official Solana Python API project, known as “solana-py” on GitHub but listed as “solana” on PyPI (Python Package Index) has been typosquatted.
A deceptive package “solana-py” was published by a threat actor who exploited the naming difference.
Cybersecurity researchers at Sonatype affirmed that this fake package mixes legitimate project code with hidden features meant to steal sensitive data in a clever way.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
The attack uses confusion that might be present among developers about the name of the project to set up an unsafe downloading environment for people who unknowingly install the wrong software of the genuine Solana API.
Malicious Typosquat Package
The PyPI published a misleading “solana-py” package which exploited inconsistencies in the nomenclature being used between the project’s legitimate GitHub account (“solana-py”) and its PyPI identity (“solana”).
This scam package tries to look real by employing several tactics like, it uses a higher version number (0.34.5 vs. the legitimate 0.34.3), capitalizes on references to “solana-py” in other libraries’ documentation, and modifies the “init.py” file to include malicious code.
The main danger of this attack is that it exploits that “solana-py” is widely employed in GitHub documentation making developers possibly download the harmful package.
.webp "Beware Of Malicious Typosquat Package That Steals Your Secret Keys 2")
Researchers highlighted several important distinctions such as the false maintainer name being “treefinder” while the actual one being “michaelhly,” demonstrating how it is necessary to check every package added to Python ecosystem for authenticity.
The package “exceptions.py” is a sophisticated attack that hides a malicious ‘solana-py’ and then makes silent calls to Hugging Face’s hosted API in order for the data to be exfiltrated.
Version 0.34.3 of this package __init__.py file modifies a particular function from the solders library which is essential since it helps hackers steal Solana blockchain wallet keys. This way, attackers are able to typosquat ‘solana-py’ and trick developers using legitimate ‘solders’ package.
Subsequently, the compromised application may expose sensitive information about cryptocurrencies belonging to both developers and their users.
This case shows how threat actors in the open-source ecosystem are changing their tactics with respect to projects dealing with cryptocurrency.
It highlights an immediate need for stronger supply chain security mechanisms such as better analysis of third-party dependencies, improved documentation practices, and greater attention to typosquatting risks.
The complete scenario emphasizes how important it is for any software development project, especially those handling critical financial data to maintain a security-first approach throughout its lifecycle.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces