FlagThis

A critical security flaw has been discovered in versions 1.95.6 and 1.95.7 of the widely used @solana/web3.js npm library, a JavaScript tool crucial for Solana blockchain applications. This supply chain attack, affecting over 350,000 weekly downloads, injected malicious code designed to steal private keys. The compromised code, concealed within legitimate code paths, exfiltrated private keys to a hardcoded Solana address (FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx) via Cloudflare headers, potentially leading to cryptocurrency theft from both developers and end-users. The attack, believed to stem from a phishing or social engineering campaign against library maintainers, underscores the vulnerability of software supply chains in the crypto space.

Developers are strongly urged to immediately update to version 1.95.8 or downgrade to version 1.95.5 of the @solana/web3.js library. Those who suspect their keys may be compromised are advised to rotate their authority keys. The compromised versions are no longer available for download. While non-custodial wallets are not affected, this incident highlights the serious risks associated with compromised open-source libraries and the importance of vigilant security practices within the development ecosystem. The compromised versions, which attracted over 50 million downloads, were identified and reported across several cybersecurity news outlets including Malware News, BleepingComputer, Cyber Insider, and The Hacker News.

ImgSrc: www.bleepstatic.com

References:

• The Hacker News - The Hacker News discusses the backdoor discovered in Solana's Web3.js npm library. - 21d
• Help Net Security - Solana’s popular web3.js library backdoored in supply chain compromise - 21d
• CyberInsider - Supply chain attack on Solana core library - 21d
• Over Security - Solana's web3.js library was backdoored to steal secret private keys via a supply chain attack, affecting cryptocurrency wallets. - 21d
• socket.dev - Supply chain attack: Solana web3.js library - 21d
• @bleepingcomputer.com - The legitimate Solana JavaScript SDK was temporarily compromised by a supply chain attack, resulting in malicious code stealing cryptocurrency private keys. - 21d
• Malware Analysis, News and Indicators - Malware News reports on the malware found in Solana's npm library with 50M downloads. - 21d
• www.bleepingcomputer.com - BleepingComputer reports on the malicious Solana packages found on npm. - 21d
• bsky.app - Analysis of the Solana package revealed malicious URLs designed to exfiltrate private keys. - 21d
• Security Risk Advisors - Supply Chain Attack Compromises Solana’s web3.js Library, Targets Private Keys - 20d
• sra.io - SRA.io article mentioning the Solana vulnerability. - 20d
• Ars Technica - Backdoor slipped into popular code library, drains ~$155k from digital wallets | Ars Technica "The backdoor came in the form of code that collected private keys and wallet addresses when apps that dir - 19d
• www.heise.de - Supply chain attack: Solana web3.js library was infected with malicious code Unknown attackers have equipped Solana's JavaScript SDK with malicious code to steal private keys. - 19d

Classification:

• HashTags: Solana SupplyChain Cryptocurrency
• Company: Solana
• Target: Solana users and developers
• Product: web3.js
• Feature: web3.js
• Type: Malware
• Severity: Major