The legitimate Solana Python API project is known as "solana-py" on GitHub, but simply "solana" on the Python software registry, PyPI. This slight naming discrepancy has been leveraged by a threat actor who published a "solana-py" project on PyPI which, in addition to borrowing real code from the legitimate project, quietly steals your secrets, making it an ideal typosquat.
Solana or solana-py?
Tracked as sonatype-2024-3214, the Sonatype Security Research team analyzed a suspicious 'solana-py' package which appeared on PyPI this week. The package was flagged by our automated malware detection system that powers groundbreaking products like Sonatype Repository Firewall.
Our security researcher Carlos Fernandez who led the investigation on "solana-py" made some critical observations.
Although the project may appear real at a first glance, and even has the same name as the legitimate GitHub project "solana-py" (which, on PyPI exists simply as 'solana'), the typosquat is convincing and problematic for the following reasons:
Fernandez points out, legitimate libraries like solders make references to "solana-py" in their PyPI documentation, making it highly possible for developers to mistakenly download "solana-py" from PyPI thereby making the attack surface much wider and than expected.
"The legitimate Solders project mentions the solana-py
package, making it easier for attackers to impersonate the package name on PyPI, because that name (solana-py) is used only on GitHub," states Fernandez.
The researcher further stated that the most recent version of (the real project) "solana" was 0.34.3, whereas that for the counterfeit "solana-py" is 0.34.5, which gives off an impression that the latter is a more recent version of the project.
"The malicious maintainer is treefinder but the one behind legitimate project is michaelhly," further notes Fernandez.
Additionally, there have been no recent code changes made to the "__init__.py" file of the real project on GitHub, whereas we observed that the same file in the counterfeit PyPI component had been altered.
Abuses Hugging Face Spaces to exfiltrate secrets
The "__init__.py" in the counterfeit component imports a "solana.exceptions" library that may miss the scrutiny of developers and analysts alike, being mistaken for a simple error-handling library.
Inspecting the "exceptions.py" file, however, reveals the package author's malicious intentions.
Buried in the code is a network call to the following URL (defanged by us for safety):
hxxps://treeprime-gen.hf[.]space/image?s=...
The *.hf.space subdomain URL, purportedly created by the publisher of the package "treeprime" appears to be an API where data collected from the system is being sent to.
The *.hf.space domains are offered by Hugging Face, an AI development platform and community website that allows creators to host their "spaces" on these subdomains.
We have previously explored how Hugging Face has also caught the attention of adversaries looking to exploit the platform to distribute malicious AI/ML models.
A previous version (0.34.3) of the counterfeit "solana-py" shows what could be the reason for this network call. In that version, the "__init__.py" file itself makes a call to the threat actor's *.hf.space subdomain.
Fernandez explains that this is an attempt by the package publisher to override a key function used by the "solders" library, and to exfiltrate secrets like Solana's blockchain wallet keys from the system."The solders.keypair.Keypair.__init__
method is being replaced by the attackers new_method()
function, which tries to exfiltrate the self.to_bytes_array
value to a rogue domain," says Fernandez.
"Those bytes are the ones used by solders
to call the Solana Core SDK. Having access allows attackers to steal Solana’s blockchain wallets."
In other words, if a developer using the legitimate "solders" PyPI package in their application is mislead (by solders' documentation) to fall for the typosquatted "solana-py" project, they'd inadvertently introduce a crypto stealer into their application. This would not only steal their secrets, but those of any user running the developer's application.
Sonatype Repository Firewall comes to the rescue
This isn't the first time a stunt like this has been pulled but a stark reminder of threat actors' evolving tactics and commitment to exploiting the open source ecosystem for nefarious reasons. The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries Developers and organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies.
Malicious open source is designed to evade typical software composition analysis (SCA) scanners. However, users of Sonatype Repository Firewall can rest easy knowing that these packages would automatically be blocked from reaching their development builds and keep their software development life cycle (SDLC) hygienic.
If you're not already protected with Sonatype, get in touch so we can show you Repository Firewall in action.
Written by Ax Sharma
Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.
Explore All Posts by Ax Sharma