Critical Security Alert: Solana web3.js Library Compromise

A sophisticated supply chain attack has compromised the widely-used @solana/web3.js JavaScript library. The attack, discovered on December 3, 2024, injected malicious code designed to steal private keys and drain cryptocurrency wallets.

‍

Impact overview

• Affected versions: 1.95.6 and 1.95.7 of @solana/web3.js
• Exposure: On average, 350,000 to 450,000 weekly downloads on npm
• Attack window: December 2, 2024, between 3:20 PM UTC and 8:25 PM UTC (confirmed by library maintainer Steven Luscher)
• Documented losses: Approximately $160,000 in stolen SOL, plus additional tokens valued at over $31,000, according to on-chain data as of this writing

‍

Technical analysis

Attackers compromised a publish-access account for the @solana/web3.js library. They injected malicious code that captures and transmits private keys to a hardcoded Solana address: FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx.

The attack utilized sophisticated obfuscation techniques. Datadog security researcher Christophe Tafani-Dereeper revealed the backdoor's key components:
‍

The malicious code:

1. Hides behind seemingly legitimate CloudFront headers
2. Strategically injects into multiple code paths that access private keys
3. Exfiltrates data to a command-and-control server at sol-rpc[.]xyz
   ‍

Although similar to previous supply chain compromises, this attack uses more advanced obfuscation methods. The attackers registered their command-and-control domain on November 22, 2024 through NameSilo, hiding behind CloudFront's services.

Who is affected

According to the library owner, the vulnerability impacts:

1. Projects that
   1. Directly handle private keys 
   2. Updated dependencies during the exposure window
2. JavaScript bots or backend systems using private keys
3. Applications that integrated the compromised versions 1.95.6 or 1.95.7
   ‍

The following are not affected:

• Non-custodial wallets (they don't expose private keys during transactions)
• Projects using version 1.95.5 or earlier
• Projects using version 1.95.8 or later
• Phantom wallet and Backpack exchange have confirmed they are unaffected

Required actions

For developers

First, check your `yarn.lock`/`package-lock.json` files as soon as possible to ensure you are not using 1.95.6 or 1.95.7 of the @solana/web3.js app.

‍

For local directories, use the following grep command:

‍grep -r "@solana/web3.js" .

‍

For GitHub repositories, run a search with:

user:YOUR_USERNAME "@solana/web3.js"

If you’re using a compromised version:

1. Remove the compromised package
2. Update to version 1.95.8 or downgrade to 1.95.5
3. Inspect your node_modules directory and dependency trees
4. Generate new private keys
5. Revoke compromised permissions
   ‍

For users

1. Limit interactions with Solana-based applications until you confirm their security status
2. Move assets to a new wallet if you suspect compromise
3. Monitor your transaction history for unauthorized activities

Current mitigation status

✓ npm has removed compromised versions
✓ Patched version 1.95.8 has been released
✓ Command-and-control server taken offline 

Lessons and prevention strategies

This incident highlights critical preventative security best practices.

1. Dependency management:
   • Always verify the authenticity of your npm packages and dependencies.
   • Maintain strict version control and package lockfiles.
   • Use a scanning tool to check dependencies.
   • Run regular security audits of your project dependencies.
     
     
2. Private key security:
   • Never expose private keys during normal transactions.
   • Implement proper access controls for private key operations.
   • Review all code paths that handle private keys.
   • Consider using non-custodial solutions where possible.
     
     
3. Supply chain security:
   • Be cautious of package updates, even from trusted sources.
   • Monitor for suspicious code modifications in dependencies.
   • Watch for unauthorized package publications.
   • Implement robust code review processes.
     
     
4. Response preparation:
   • Have a plan ready for security incidents.
   • Know how to quickly revoke compromised permissions.
   • Maintain clear communication channels with users.
   • Keep security tools and contacts readily available.

And above all else, ensure your code is security audited before deploying. 

Additional resources

• Official Solana web3.js repository
• Attacker's wallet address
• npm package registry

Conclusion

Monitor official Solana channels for the latest security updates.

This incident shows the evolving sophistication of supply chain attacks. The quick response from the Solana community and security researchers limited the damage. However, it reinforces the need to stay vigilant.