On December 2, 2024, the Solana Web3.js package was compromised as a result of a supply chain attack and an account with the appropriate privileges. As a result, a backdoor was injected into the library code to steal private cryptocurrency keys. The @solana/web3.js
library , which is downloaded from npm about 400,000 times weekly, is used by developers to build decentralized applications (dApps) for Node, web, and React Native. The library enables interaction between dApps, accounts, and programs on the Solana network. The supply chain attack was first noticed by analysts at Socket . According to them, two versions of the library (1.95.6 and 1.95.7) were replaced with malicious ones and remained available for download through the official repository for about five hours (from 15:20 to 20:25, December 2, 2024). Compromised versions of Web3.js contained malicious code that allowed attackers to steal private keys from developers and users, and ultimately steal other people's cryptocurrency. According to Christophe Tafani-Dereeper, an information security specialist at DataDog, the attackers added a malicious addToQueue function to the code, which stole secret and private keys under the guise of legitimate CloudFlare headers and then transmitted the information to the hackers' server. Solana maintainers have already confirmed the hack . According to them, the attack occurred after an account with publishing access was compromised, which allowed the attackers to publish two malicious versions of the library. All developers who may have interacted with malicious versions of the package are advised to immediately update to the latest version 1.95.8, as well as rotate all keys, secrets, and credentials.
"This issue should not affect non-custodial wallets, as they typically do not expose private keys during transactions. The issue is not with the Solana protocol itself, but with a specific JavaScript client library, and appears to only impact projects that work directly with private keys," the maintainers write.
At the same time, GitHub experts warn that even removing the package does not guarantee that other malware that appeared as a result of its installation will be removed from the machine. That is, developers should consider their systems completely compromised. Representatives of Binance
have already commented on the incident . According to them, none of the major cryptocurrency wallets were hacked as part of this attack on the supply chain, but attacks still took place.
“It is suspected that third-party tools related to private keys, including bots, may have been compromised due to dependencies not being updated in a timely manner,” Binance said.
According to Socket analysts, the attack was traced to the address FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx , which currently contains 674.86 Solana and various amounts of Irish Pepe, Star Atlas, Jupiter, USD Coin, Santa Hat, Pepe on Fire, Bonk, catwifhat and Genopets Ki tokens. That is, the value of the allegedly stolen cryptocurrency could be more than $180,000.
