BIGFISH TECHNOLOGY LIMITED
15 August 2024

Beware of Malicious Typosquat Package That Steals Your Secret Keys.

Hackers frequently target the Solana Python API environment with the intent of exploiting weaknesses in decentralized applications, gaining access to private keys, or manipulating blockchain transactions.

The Solana Python API ecosystem was recently attacked by a typosquatting attack (sonatype-2024-3214).

The official Solana Python API project, called "solana-py" on GitHub but "solana" on PyPI (Python Package Index), has been typosquatted.

A threat actor took advantage of the naming difference and uploaded a fake package called "solana-py".

Sonatype's cybersecurity researchers confirmed that this bogus package combines authentic project code with concealed features designed to collect sensitive data in a sophisticated way.

The exploit takes advantage of potential uncertainty among developers regarding the project's name to create a dangerous downloading environment for people who unintentionally install the incorrect software of the real Solana API.

Malicious typosquat package
The PyPI produced a false "solana-py" package that took advantage of differences in the nomenclature used by the project's legitimate GitHub account ("solana-py") and its PyPI identity ("solana").

This scam package attempts to appear authentic by adopting numerous strategies, including using a higher version number (0.34.5 vs. the legitimate 0.34.3), capitalizing on references to "solana-py" in other libraries' documentation, and modifying the "init.py" file to add malicious code.

The key risk of this attack is that it exploits the fact that "solana-py" is extensively used in GitHub documentation, causing developers to download the malicious package.

Researchers noted numerous critical contrasts, such as the phony maintainer name "treefinder" against the true one "michaelhly," emphasizing the importance of authenticating every package uploaded to the Python ecosystem.

The package "exceptions.py" is a complex attack that hides a malicious'solana-py' and then silently calls Hugging Face's hosted API to exfiltrate data.

Version 0.34.3 of this package's __init__.py file changes a specific function from the solders library, which is critical since it allows hackers to acquire Solana blockchain wallet keys. This allows attackers to typosquat'solana-py' and fool developers into using the legitimate'solders' package.

As a result, the hijacked application may reveal sensitive information regarding cryptocurrency belonging to both developers and their users.

This instance demonstrates how threat actors in the open-source ecosystem are adapting their approaches in response to cryptocurrency-related projects.

It emphasizes the urgent need for enhanced supply chain security methods, such as better analysis of third-party dependencies, improved documentation processes, and increased attention to typosquatting hazards.

The entire scenario underlines how crucial it is for any software development project, particularly ones that handle sensitive financial data, to maintain a security-first strategy throughout its lifespan.

 

Source:  Cyber Security News