A significant supply chain attack targeted the widely-used @solana/web3.js npm library, aiming to steal private keys and subsequently funds, putting both developers and cryptocurrency users at risk. The malicious versions, 1.95.6 and 1.95.7, were briefly published on December 2, 2024, before being swiftly removed.
The attackers exploited the library’s maintainers, likely through phishing, allowing them to inject malicious code. Security researchers revealed that the code exfiltrated private keys to an attacker-controlled server, sol-rpc[.]xyz, which was registered just days before the breach. Christophe Tafani-Dereeper, a cloud security researcher, identified the “addToQueue” backdoor function that hijacked key-sensitive processes within the package.
The malicious activity affected projects that directly handled private keys and updated their dependencies within the five-hour attack window. These include decentralized applications (dApps) or automated bots that rely on private keys to operate. Non-custodial wallets, which do not expose private keys during transactions, were not impacted.
The stolen assets, primarily in SOL tokens, are estimated to total between $130,000 and $160,000. Major wallets like Phantom and Coinbase confirmed they were unaffected as they did not integrate the compromised versions.
Solana Labs and other experts recommended these actions for developers:
- Audit dependencies to identify usage of @solana/web3.js versions 1.95.6 or 1.95.7
- Update to version 1.95.8 immediately
- Rotate keys, including multi-sigs and program authorities, if compromise is suspected
This attack follows other npm package breaches, such as crypto-keccak and solana-systemprogram-utils, which similarly targeted cryptocurrency wallets. Such incidents underscore the critical importance of verifying the integrity of software libraries and implementing stringent security measures to protect sensitive information within the cryptocurrency ecosystem.
Developers and users are strongly encouraged to review and update their dependencies, conduct thorough security audits, and remain vigilant against similar threats in the future
