Earlier this month, cybersecurity researchers from Phylum reported finding a malicious package named “solana-token” available through the Python Package Index (PyPI). This package is explicitly aimed at the Solana blockchain developers. That deal released, early April 2024, a nominal $856 million package. It was subsequently downloaded 761 times before the government took it down from the platform. The nefarious capabilities of this package allowed it to steal entire source code and sensitive developer secrets.
The finding was first reported to The Hacker News by the ReversingLabs researcher Karlo Zanki who made the discovery. The bad package masqueraded as a legitimate key generator for the Solana blockchain. Behind the scenes it was loaded with features that hijacked users’ code and private data.
Details of the Malicious Package
The “solana-token” package introduced a non-standard version numbering scheme at its inception. This confusing strategy probably contributed to its runaway download success on naïve developers. What specific distribution tactics led to its success we’re not quite sure yet. It is believed that advertising ran on developer-targeted platforms.
Karlo Zanki highlighted the need for vigilance in our software development environments. He stated,
“Development teams need to aggressively monitor for suspicious activity or unexplained changes within both open source and commercial, third-party software modules.”
This announcement reflects an alarming increase in risks targeting developers who use third-party packages to accelerate their development efforts.
Impact on Developers
The “solana-token” package isn’t just good at racking up downloads. It does highlight a critical security issue in software development practices still prevalent in the Solana community. Similar to this, developers rely on hundreds or thousands of packages from PyPI to extend and build on their projects, making them ripe targets for nefarious actors.
Now that blockchain has become an intrinsic zeitgeist adopted by a new wave of developers, the integrity of the tools they use will be paramount. The incident highlights the pressing need for development teams to implement robust security measures and to scrutinize third-party software closely.