Weaponized PyPI Package Steals Solana Private Keys Via Supply Chain Attack

Weaponized PyPI Package Steals Solana Private Keys Via Supply Chain Attack

A sophisticated supply chain attack targeting Solana developers has compromised over 25,900 downloads through a weaponized Python package that silently steals cryptocurrency private keys during routine development workflows. The malicious campaign, centered around a package called “semantic-types,” represents a new… Read more → The post Weaponized PyPI Package Steals Solana Private Keys Via Supply Chain Attack appeared first on IT Security News.

More threats to software supply chains

Kaspersky reports that, by the end of 2024, a total of 14 000 malicious packages were found in open-source projects, a 48% increase compared to the end of 2023. A total of 42-million versions of open-source packages were examined by Kaspersky during 2024 in search for vulnerabilities. In March 2025, the Lazarus Group was reported to have deployed several malicious npm packages, which were downloaded multiple times before removal. These packages …

Poisoned models in fake Alibaba SDKs show challenges of securing AI supply chains

Developers have been increasingly targeted by attackers in recent years with fake software packages on open-source component repositories — a supply chain attack technique that has now expanded to include rogue AI frameworks and poisoned machine learning (ML) models as enterprises rush to build AI applications. In one recent attack, hackers uploaded packages to the Python Package Index (PyPI) — the public repository for open-source Python compon…

Checkmarx Surfaces Malicious Effort to Compromise Software Supply Chains

Checkmarx has discovered malicious software packages that inject malware capable of bypassing endpoint security to exfiltrate data.