Cybersecurity researchers warn of attack on software supply chains targeting popular @solana/web3.js npm library, which included the promotion of two malicious versions capable of harvesting users’ private keys in order to drain their cryptocurrency wallets.
The attack was discovered in versions 1.95.6 and 1.95.7. Both of these versions are no longer available for download from the npm registry. The package is widely used, attracting more than 400,000 downloads every week.
“These compromised versions contain embedded malware that is designed to steal private keys from unsuspecting developers and users, potentially allowing attackers to empty cryptocurrency wallets,” Socket. said in the report.
@solana/web3.js is an npm package that can be used for to interact with the Solana JavaScript Software Development Kit (SDK) for building Node.js and web applications.
According to security researcher Datadog Christophe Taffani-Deriper“the backdoor inserted in v1.95.7 adds an ‘addToQueue’ function that steals the private key via the seemingly legitimate CloudFlare headers” and that “calls to this function are then inserted into various places that (legitimately) access the private key” .
The command and control server (C2) to which the keys were transferred (“sol-rpc(.)xyz”) is currently down. It was registered on November 22, 2024 at the domain registrar NameSilo.
It is suspected that the developers of the npm package fell victim to a phishing attack that allowed threat actors to take control of accounts and publish fake versions.
“The publish access account has been compromised for @solana/web3.js, a JavaScript library commonly used by Solana dApps,” said Steven Luscher, one of the library’s maintainers. said in the release notes for version 1.95.8.
“This allowed an attacker to publish unauthorized and malicious packages that were modified to allow him to steal private key material and extract funds from dApps such as bots that process private keys directly. Non-custodian wallets should not be affected by this issue, as they typically do not disclose private keys during transactions.”
Lüscher also noted that the incident only affects projects that directly handle private keys and that were updated between 15:20 UTC and 20:25 UTC on December 2, 2024.
Users relying on @solana/web3.js as a dependency are encouraged to update to the latest version as soon as possible and optionally change their authorization keys if they suspect they have been compromised.
The disclosure comes days after Socket warned about a rogue Solana-themed npm package called solana-systemprogram-utils, which is designed to slyly redirect user funds to an attacker-controlled wallet address in 2% of transactions.
“Code cleverly disguises its intentions while functioning normally 98% of the time,” Socket Research Group said. “This design minimizes suspicion, but still allows an attacker to withdraw funds.”
It also follows the discovery of npm packages such as crypto-keccak, crypto-jsonwebtoken and crypto-bignumber posing as legitimate libraries but containing code to extract credentials and cryptocurrency wallet data, again highlighting how threat actors continue abuse of trust developers place in the open source ecosystem.
“The malware threatens individual developers by stealing their credentials and wallet data, which can lead to direct financial losses,” security researcher Kirill Boychanka noted. “For organizations, compromised systems create vulnerabilities that can spread throughout the enterprise environment, allowing widespread exploitation.”
