Cybersecurity experts have identified a serious software supply chain attack affecting the popular @solana/web3.js npm library, which has over 400,000 weekly downloads. Malicious versions 1.95.6 and 1.95.7 were found to contain harmful code designed to steal users’ private keys and drain cryptocurrency wallets. The threat likely originated from a phishing incident that compromised maintenance accounts, allowing attackers to publish these risky versions. Users of the library are advised to upgrade to the latest version immediately and consider rotating their keys if they suspect any compromise. This incident highlights ongoing threats in the open-source ecosystem, emphasizing the need for vigilance among developers in the cryptocurrency space.
Cybersecurity Alert: Major Supply Chain Attack Targets Solana Web3.js Library
Date: December 4, 2024
Author: Ravie Lakshmanan
Tags: Supply Chain Attack
In a concerning development for the cryptocurrency community, cybersecurity experts are warning about a serious supply chain attack involving the popular @solana/web3.js npm library. This attack has seen the release of two malicious versions that can capture users’ private keys, potentially allowing hackers to empty their cryptocurrency wallets.
The affected versions, 1.95.6 and 1.95.7, have been removed from the npm registry. With over 400,000 downloads each week, @solana/web3.js is widely used for building applications that interact with the Solana blockchain.
According to findings by the security team at Socket, these compromised versions contained malicious code specifically designed to steal private keys from unsuspecting developers and users. If successful, the code could enable attackers to drain funds from affected wallets.
Christophe Tafani-Dereeper from Datadog revealed that the malicious version 1.95.7 added a function named ‘addToQueue’ that could secretly send private keys to a server disguised as legitimate CloudFlare headers. The server, identified as “sol-rpc[.]xyz,” is currently inactive and was only registered a short time before the attack.
It is believed that the maintainers of the library were victims of a phishing attack, which allowed the attackers to exploit their accounts and publish these harmful packages. Library maintainer Steven Luscher confirmed that the attackers had access to a publish-access account, which they used to release the contaminated versions.
Developers using @solana/web3.js are strongly urged to update to the latest version immediately, especially if their projects handle private keys directly. Those who suspect their keys might be compromised should consider rotating them as a precaution.
This incident follows a recent warning about a fake Solana-themed npm package designed to misdirect user funds to an attacker-controlled wallet. Security experts remind developers to be vigilant as malicious packages continue to threaten the integrity of the open-source community. The ongoing attacks highlight the importance of safeguarding credentials and wallet data to prevent significant financial losses.
For those interested in keeping up with cybersecurity news and insights, consider following us on Twitter and LinkedIn for more updates.
What is the backdoor found in the Web3.js library?
The backdoor is a hidden way for attackers to access and control users’ funds without permission.
How does this backdoor affect Solana users?
It can allow hackers to steal money or manipulate transactions in users’ wallets without their knowledge.
What should users do to protect themselves?
Users should stop using the affected version of the Web3.js library and update to a safe version as soon as possible.
How can researchers detect such backdoors in libraries?
Researchers analyze the code for unusual patterns and test the software for unexpected behaviors that could indicate a backdoor.
What is Solana doing about this issue?
Solana is investigating the situation and working on solutions to ensure user safety and prevent future vulnerabilities.
