The legitimate Solana Python API project is known as “solana-py” on GitHub, but simply “solana” on the Python software registry, PyPI. This slight naming discrepancy has been leveraged by a threat actor who published a “solana-py” project on PyPI which, in addition to borrowing real code from the legitimate project, quietly steals your secrets, making it an ideal typosquat.

Solana or solana-py?

Tracked as sonatype-2024-3214, the Sonatype Security Research team analyzed a suspicious ‘solana-py’ package which appeared on PyPI this week. The package was flagged by our automated malware detection system, which powers groundbreaking products like Sonatype Repository Firewall.

Our security researcher Carlos Fernandez who led the investigation on “solana-py” made some critical observations.

Although the project may appear real at a first glance, and even has the same name as the legitimate GitHub project “solana-py” (which, on PyPI exists simply as ‘solana‘), the typosquat is convincing and problematic for the following reasons:

Fernandez points out, legitimate libraries like solders make references to “solana-py” in their PyPI documentation, making it highly possible for developers to mistakenly download “solana-py” from PyPI thereby making the attack surface much wider and than expected.

“The legitimate Solders project mentions the solana-py package, making it easier for attackers to impersonate the package name on PyPI, because that name (solana-py) is used only on GitHub,” states Fernandez.

The researcher further stated that the most recent version of (the real project) “solana” was 0.34.3, whereas that for the counterfeit “solana-py” is 0.34.5, which gives off an impression that the latter is a more recent version of the project.

“The malicious maintainer is treefinder but the one behind legitimate project is michaelhly,” further notes Fernandez.

Additionally, there have been no recent code changes made (Read more...)