Malicious Python Package Dupes Devs, Steals Solana Wallet Keys: A Cautionary Tale

Cybersecurity researchers have found a malicious PyPI package masquerading as a Solana library, designed to steal secrets. Named “solana-py,” it mimics the legitimate “solana” package and has been downloaded 1,122 times. This typo-squatting attack highlights the risks of supply chain vulnerabilities in software development.

3P
Published: August 11, 2024 10:21 amAdded: August 11, 2024 at 3:45 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like the Solana blockchain’s got more bugs than a summer picnic! Who knew a ‘solana-py’ could be more toxic than a python bite? This latest PyPI package drama is a reminder that even in the world of code, typos can be deadly.

Key Points:

  • Malicious package “solana-py” discovered on PyPI, mimicking legitimate Solana blockchain library.
  • The fake package was downloaded 1,122 times before being removed.
  • It injected code to steal Solana wallet keys and exfiltrate them to a rogue domain.
  • Legitimate libraries like “solders” inadvertently referenced the malicious package, increasing the attack surface.
  • Similar issues have been seen with npm packages and the Tea protocol.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?