A major software supply chain attack has been uncovered in the Solana Web3.js npm library backdoor, affecting versions 1.95.6 and 1.95.7.
Cybersecurity experts have revealed that malicious code injected into these versions could steal users’ private keys, putting cryptocurrency wallets at risk of being drained.
The attack has highlighted the ongoing vulnerabilities in widely used open-source libraries, reminding us all to remain vigilant about updates and security.
Key Takeaway to Solana Web3.js npm Library Backdoor:
- The Solana Web3.js npm library backdoor underscores the dangers of supply chain attacks, especially for developers and users relying on open-source tools.
Understanding the Solana Web3.js npm Library Backdoor
What Happened?
Two compromised versions of the popular npm package @solana/web3.js, downloaded over 400,000 times weekly, were discovered with malicious code designed to harvest private keys.
Once attackers obtained these keys, they could drain funds from wallets linked to the compromised apps.
The attack exploited versions 1.95.6 and 1.95.7. Both have since been removed from the npm registry, but the damage potential was significant.
How the Backdoor Worked
- Malicious Functionality: Researchers identified a
addToQueuefunction that exfiltrated private keys through fake CloudFlare headers. - C2 Server: Stolen data was sent to a command-and-control (C2) server at
sol-rpc[.]xyz, registered on November 22, 2024. The server is now offline.
The injected malicious code cleverly blended with legitimate functionality, making detection difficult during the affected timeframe of December 2, 2024, from 3:20 p.m. UTC to 8:25 p.m. UTC.
Real-World Impacts of the Backdoor
This isn’t the first time a supply chain attack has endangered developers and users. In 2021, the UAParser.js npm package was similarly hijacked, infecting users’ systems with cryptocurrency miners.
The current attack mirrors these tactics, leveraging trust in open-source ecosystems to target unsuspecting users.
For non-custodial wallets, this threat was less impactful since they do not expose private keys during transactions. However, developers using dApps or bots handling private keys directly were most at risk.
What Developers and Users Need to Do Now
Immediate Steps
- Update to Version 1.95.8 or Later
The latest version of@solana/web3.jsfixes the backdoor issue. Updating ensures your projects are safe. - Rotate Keys
If you suspect exposure, rotate your private keys immediately. - Review Dependencies
Regularly audit dependencies for vulnerabilities to minimize risks.
Long-Term Security Practices
| Security Tip | Why It Matters |
|---|---|
| Use 2FA for npm Accounts | Protects maintainers from phishing attacks that lead to package hijacks. |
| Monitor for Updates | Ensures you’re using secure and up-to-date versions of libraries. |
| Implement Dependency Scanners | Tools like Socket or Snyk can help identify malicious packages early. |
For more insights, visit our guide on securing your cryptocurrency wallets.
How the Attack Was Possible
Researchers believe the attack stemmed from a phishing incident targeting a maintainer of the @solana/web3.js npm package. Once the attackers gained access, they published unauthorized versions containing the backdoor.
As Steven Luscher, a maintainer, explained, “A publish-access account was compromised, allowing malicious versions to be uploaded.”
This highlights the importance of securing developer accounts with robust measures like two-factor authentication.
About Solana and Web3.js
Solana is a high-performance blockchain platform designed for decentralized apps and crypto projects. The @solana/web3.js library is a vital tool for developers building apps using Solana’s SDK.
With over 400,000 weekly downloads, its popularity makes it a prime target for supply chain attacks.
Conclusion: A Wake-Up Call for Developers
The Solana Web3.js npm library backdoor serves as a harsh reminder that even trusted open-source tools can be compromised.
By staying informed, updating dependencies promptly, and adopting best security practices, developers and users can reduce the risks of similar incidents.
FAQs
What is the Solana Web3.js npm library backdoor?
It’s a security vulnerability in versions 1.95.6 and 1.95.7 of the @solana/web3.js library that allowed attackers to steal private keys and compromise cryptocurrency wallets.
How can I protect my project from this issue?
Update to version 1.95.8 or later, rotate your keys if necessary, and review your dependencies regularly.
Who was affected by this attack?
Projects using versions 1.95.6 or 1.95.7 of @solana/web3.js during the specific timeframe on December 2, 2024. Non-custodial wallets were not impacted.
Why do attackers target open-source libraries?
Open-source libraries are widely used and trusted, making them an effective way to distribute malicious code.
How can developers prevent similar attacks?
Use strong account security measures like 2FA, monitor dependencies for vulnerabilities, and rely on automated tools to detect malicious code.
