Sunday, April 27, 2025
HomeCryptocurrency hackHackers Abused StackExchange Platform To Deliuver Malicious Python Package

Hackers Abused StackExchange Platform To Deliuver Malicious Python Package

Published on

SIEM as a Service

Follow Us on Google News

Attackers uploaded malicious Python packages targeting Raydium and Solana users to PyPI, leveraging a StackExchange post to distribute the malware. 

The multi-stage malware stole sensitive data, drained cryptocurrency wallets, and established persistent backdoor access, bypassing Windows security protections, underscoring the vulnerability of software supply chains and the ineffectiveness of traditional endpoint security solutions against modern threats. 

Multi-stage assault

An initial payload triggered a multi-stage attack, downloading additional malicious scripts to steal sensitive data.

- Advertisement - Google News

The malware exfiltrated browser data, cryptocurrency wallet information, messaging app content, and screenshots. 

It also searched for specific keywords and encryption keys. Stolen data was compressed and sent via Telegram bots, while a backdoor provided persistent system access to the attacker. 

One of the attacker’s telegram bots receiving screenshots and data from victims machines.

Analysis of attack victims reveals a strong correlation to Raydium and Solana users, indicating a targeted attack.

The attacker likely sought financial gain through the interception or manipulation of high-value transactions within this ecosystem, demonstrating strategic planning and a clear financial motive. 

Attackers Strategically Engineered Malware

The deceptive tactic involved creating a package that closely resembled legitimate software, potentially leveraging existing software’s functionality or codebase. 

The malicious payload was then stealthily embedded within the package, aiming to bypass initial security checks and execute harmful actions once installed. 

Despite Raydium being a legitimate Solana-based AMM lacking an official Python library, an attacker strategically exploited this absence by creating a fraudulent Python package bearing the same name on PyPI, aiming to mislead developers into installing malicious code under the guise of a legitimate Raydium integration.

The malicious actor embedded the harmful “spl-types” package within a seemingly legitimate dependency, effectively camouflaging the threat and misleading unsuspecting users into installing it alongside the trusted package. 

The malicious packages in this campaign were dependencies within other seemingly legitimate packages.

An attacker strategically leveraged StackExchange to promote a malicious “Raydium” package.

By infiltrating a highly viewed thread related to Raydium and Solana development, they crafted a seemingly authoritative response incorporating their malicious package. 

According to Checkmarx, this deceptive tactic, aiming to establish credibility and drive adoption, highlights the critical need for rigorous package verification, especially when relying on recommendations from anonymous online sources. 

Bottom left: Screenshot of the victim’s screen. Top right: Windows Defender scan declaring in Dutch that the system is clear of threats after the scan. Top left: victim’s private key.

Malicious packages exploited vulnerabilities in supply chain security, leading to severe financial losses for individuals and exposing critical gaps in existing security measures.

The attack compromised user systems, stealing sensitive data, including private keys. 

Traditional security solutions like Windows Defender failed to detect the threat, emphasizing the need for enhanced protection against package-based attacks, while the removal of malicious packages from repositories without leaving traces hinders threat investigation and leaves users vulnerable to future attacks from the same source. 

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Two Systemic Jailbreaks Uncovered, Exposing Widespread Vulnerabilities in Generative AI Models

Two significant security vulnerabilities in generative AI systems have been discovered, allowing attackers to...

New AI-Generated ‘TikDocs’ Exploits Trust in the Medical Profession to Drive Sales

AI-generated medical scams across TikTok and Instagram, where deepfake avatars pose as healthcare professionals...

Gamers Beware! New Attack Targets Gamers to Deploy AgeoStealer Malware

The cybersecurity landscape faces an escalating crisis as AgeoStealer joins the ranks of advanced...

Compliance And Governance: What Every CISO Needs To Know About Data Protection Regulations

The cybersecurity landscape has changed dramatically in recent years, largely due to the introduction...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Two Systemic Jailbreaks Uncovered, Exposing Widespread Vulnerabilities in Generative AI Models

Two significant security vulnerabilities in generative AI systems have been discovered, allowing attackers to...

New AI-Generated ‘TikDocs’ Exploits Trust in the Medical Profession to Drive Sales

AI-generated medical scams across TikTok and Instagram, where deepfake avatars pose as healthcare professionals...

Gamers Beware! New Attack Targets Gamers to Deploy AgeoStealer Malware

The cybersecurity landscape faces an escalating crisis as AgeoStealer joins the ranks of advanced...