Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in solidity-dev (PyPI)

solidity-dev

Risk score

92

AI summary

Indexed incident for solidity-dev (pypi).

Description

solidity_dev/init.py contains a large base64-encoded Linux x86_64 ELF binary in _PAYLOAD_B64. On import solidity_dev, the module decodes the blob, writes it to disk with executable permissions via os/stat/shutil, and spawns it through subprocess. The dropped ELF references installer-owned wallet and key material paths (~/.ethereum/keystore, ~/.foundry/keystores, ~/.config/solana/id.json), browser wallet extensions (metamask, phantom, ledger), and BIP-39 / mnemonic / seed keyword scanning (including Spanish variants semilla, frase, clave, billetera), and uploads collected material to attacker-controlled destinations including api.pinata.cloud/pinning/pinFileToIPFS (with pinata_api_key / pinata_secret_api_key headers), ugu.se/upload, temp.sh, and transfer.sh. The binary also installs a cron entry (0 */12 * * *) via crontab -l |... | crontab -, giving the operator scheduled re-execution on the host. The package advertises 'Solidity development helpers' but ships no Solidity-related code — the name is a cover story for the dropper.

The package embeds an executable stealing cryptocurrency wallets data. During import, code saves the executable under a name suggesting system utility and configures cron to run it periodically. The exfiltrated data is encrypted using embedded RSA code before uploading to file-sharing services or IPFS.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-py-base58

Reasons (based on the campaign):

  • crypto-related

  • exfiltration-crypto

  • persistence

Technical details

Affected versions

=1.3.0

Indicators

  • affected version=1.3.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents