BleepingComputer reports that more than 2,000 Solana and Raydium blockchain projects are believed to have been compromised with malicious Python Package Index packages with information-stealing malware promoted via the online question-and-answer platform StackExchange.
Threat actors who created StackExchange accounts commented on popular threads with high-quality answers that included links to the packages, including 'spl-types,' 'sol-structs,' 'sol-instruct,' 'raydium,' and 'raydium-sdk,' which facilitated the download of scripts enabling browser, messaging app, and cryptocurrency wallet data exfiltration, according to a Checkmarx report. Further analysis of the infections revealed that the malware not only enabled the theft of Solana cryptocurrency wallet assets belonging to an IT employee but also the capturing of a private key screenshot, which could be leveraged to allow account hijacking. With such a development coming months after StackOverlfow answers were reported by Sonatype to have been leveraged to promote malicious PyPI packages, software developers have been urged to perform code inspections before usage to prevent potential compromise.
