Blockchain platform Solana had its users' blockchain wallet keys targeted for exfiltration by a fraudulent typosquatted Python Package Index repository "solana-py", which was downloaded more than 1,100 times before being removed from PyPI, The Hacker News reports.
Aside from featuring version numbers matching or purporting to be newer than the legitimate "solana" package, such typosquatted project was noted to perform code injections enabling the theft of Solana blockchain wallet keys, which are later sent to an attacker-controlled Hugging Face Spaces domain, according to an analysis from Sonatype.
"...[I]f a developer using the legitimate 'solders' PyPI package in their application is mislead (by solders' documentation) to fall for the typosquatted 'solana-py' project, they'd inadvertently introduce a crypto stealer into their application. This would not only steal their secrets, but those of any user running the developer's application," said Sonatype researcher Ax Sharma. Such findings follow Phylum's discovery of numerous spam npm packages exploiting Tea protocol markers.
