Cybersecurity researchers have discovered a malicious package in the Python Package Index (PYPI) repository that claims to be an application related to the Solana blockchain, but contains malicious features to steal source code and developer secrets.
A package named Solana-Token is no longer available for download from Pypi, but not before downloading 761 times. Despite having a completely different version of the numbering scheme, it was first published on Pypi in early April 2024.
“When installed, malicious packages try to exclude source code and developer secrets from developer’s machine into hard-coded IP addresses,” said Karlo Zanki, a researcher at ReversingLabs, in a report shared with Hacker News.
In particular, this package is designed to copy and exclude source code contained in all files in the Python execution stack, spoofing a blockchain function named “Register_Node()”.
This anomalous behavior suggests that the attacker is trying to remove sensitive cryptography-related secrets that could be hardcoded early on in creating a program that incorporates the malicious feature in question.
It is believed that developers looking to create their own blockchain are likely to be the target of the threat actors behind the package. This evaluation is based on the package name and the functions it incorporates.
The exact way that a package could have been distributed to users is currently unknown, but it may be advertised on a developer-centric platform.
If anything, this finding highlights the fact that cryptocurrencies continue to be one of the most popular goals for supply chain threat actors, so steps need to be taken to scrutinize all packages before they can be used by developers.
“Development teams should actively monitor suspicious activity or unexplained changes in both open source and commercial third-party software modules,” Zanki said. “By stopping malicious code before it penetrates a safe development environment, teams can prevent destructive supply chain attack types.”
Source link
