Supply-chain threat intelligence
Risk score
92
Indexed incident for solidity-dev (pypi).
solidity_dev/init.py contains a large base64-encoded Linux x86_64 ELF binary in _PAYLOAD_B64. On import solidity_dev, the module decodes the blob, writes it to disk with executable permissions via os/stat/shutil, and spawns it through subprocess. The dropped ELF references installer-owned wallet and key material paths (~/.ethereum/keystore, ~/.foundry/keystores, ~/.config/solana/id.json), browser wallet extensions (metamask, phantom, ledger), and BIP-39 / mnemonic / seed keyword scanning (including Spanish variants semilla, frase, clave, billetera), and uploads collected material to attacker-controlled destinations including api.pinata.cloud/pinning/pinFileToIPFS (with pinata_api_key / pinata_secret_api_key headers), ugu.se/upload, temp.sh, and transfer.sh. The binary also installs a cron entry (0 */12 * * *) via crontab -l |... | crontab -, giving the operator scheduled re-execution on the host. The package advertises 'Solidity development helpers' but ships no Solidity-related code — the name is a cover story for the dropper.
The package embeds an executable stealing cryptocurrency wallets data. During import, code saves the executable under a name suggesting system utility and configures cron to run it periodically. The exfiltrated data is encrypted using embedded RSA code before uploading to file-sharing services or IPFS.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-py-base58
Reasons (based on the campaign):
crypto-related
exfiltration-crypto
persistence
Affected versions
Indicators
Timeline