VYPR

pypi · Malicious package advisory

Malware

solidity-dev

MAL-2026-10194

Malicious code in solidity-dev (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (30501f6602a5b5b436ef5d6224ec332fa866c9e8b9da4d0de3bc69de868b1fff)
solidity_dev/__init__.py contains a large base64-encoded Linux x86_64 ELF binary in _PAYLOAD_B64. On `import solidity_dev`, the module decodes the blob, writes it to disk with executable permissions via os/stat/shutil, and spawns it through subprocess. The dropped ELF references installer-owned wallet and key material paths (~/.ethereum/keystore, ~/.foundry/keystores, ~/.config/solana/id.json), browser wallet extensions (metamask, phantom, ledger), and BIP-39 / mnemonic / seed keyword scanning (including Spanish variants semilla, frase, clave, billetera), and uploads collected material to attacker-controlled destinations including api.pinata.cloud/pinning/pinFileToIPFS (with pinata_api_key / pinata_secret_api_key headers), ugu.se/upload, temp.sh, and transfer.sh. The binary also installs a cron entry (`0 */12 * * *`) via `crontab -l |... | crontab -`, giving the operator scheduled re-execution on the host. The package advertises 'Solidity development helpers' but ships no Solidity-related code — the name is a cover story for the dropper.

## Source: kam193 (c9741120bba24fda94f8c03e68cb1f051626700a69f8558f4f032c15536ec271)
The package embeds an executable stealing cryptocurrency wallets data. During import, code saves the executable under a name suggesting system utility and configures cron to run it periodically. The exfiltrated data is encrypted using embedded RSA code before uploading to file-sharing services or IPFS.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-07-py-base58


Reasons (based on the campaign):


 - crypto-related


 - exfiltration-crypto


 - persistence

Compromised versions (1)

  • 1.3.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.