Listen to this Post
A new malware campaign dubbed “Solana-Drainer” is targeting developers using Jupyter Notebooks to steal cryptocurrency. The attack involves malicious Python packages uploaded to PyPI (Python Package Index), which, when installed, scan for Jupyter Notebook files containing crypto wallet credentials and drain the funds.
Key Details:
- Attack Vector: Malicious PyPI packages (
solana-python,solana-dev) - Target: Developers working with Solana blockchain and Jupyter Notebooks
- Method: Exfiltrates private keys stored in `.ipynb` files
- IOCs (Indicators of Compromise): Safety Cybersecurity Blog
You Should Know: How to Detect and Prevent Solana-Drainer Attacks
1. Check if You’ve Installed Malicious Packages
Run the following command to list installed Python packages and check for known malicious ones:
pip list | grep -E 'solana-python|solana-dev'
If found, uninstall immediately:
pip uninstall solana-python solana-dev -y
2. Scan Jupyter Notebooks for Suspicious Code
Use `grep` to search for malicious code patterns in `.ipynb` files:
grep -r --include=".ipynb" "import os, subprocess, base64" ~/
3. Verify PyPI Packages Before Installation
Check package metadata and reviews:
pip show <package_name>
Or use PyPI’s JSON API:
curl -s https://pypi.org/pypi/solana-python/json | jq
4. Isolate Crypto Wallet Credentials
Never store private keys in notebooks. Use environment variables instead:
export SOLANA_PRIVATE_KEY="your_key_here"
Then access them in Python safely:
import os
private_key = os.getenv("SOLANA_PRIVATE_KEY")
5. Monitor Network Traffic for Exfiltration
Use `tcpdump` to detect suspicious outbound connections:
sudo tcpdump -i any -n port 443 or port 80 | grep "malicious-domain.com"
6. Use a Sandbox for Python Development
Run Jupyter in a Docker container for isolation:
docker run -p 8888:8888 jupyter/base-notebook
What Undercode Say
The Solana-Drainer attack highlights the risks of supply chain poisoning in open-source ecosystems. Developers must:
– Audit dependencies (pip-audit)
– Use virtual environments (python -m venv)
– Enable 2FA on PyPI
– Monitor for unusual system activity (ps aux | grep python)
Linux defenders should also:
Check cron jobs for persistence crontab -l Inspect running processes top -b -n 1 | grep -i python Verify file integrity sha256sum ~/.jupyter/.ipynb
Windows users can detect malware with:
Get-Process | Where-Object { $<em>.Name -like "python" }
Get-NetTCPConnection | Where-Object { $</em>.State -eq "Established" }
Prediction
Expect more AI/ML-targeted malware (Jupyter, Colab) as attackers exploit data scientists’ reliance on open-source tools.
Expected Output:
- A cleaned list of malicious PyPI packages
- Detection scripts for wallet-stealing malware
- Secure coding practices for blockchain devs
Relevant URLs:
IT/Security Reporter URL:
Reported By: Mccartypaul Solana – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
