Solana dev library web3.js compromised to steal private keys
Solana’s web3.js library was compromised yesterday in a supply chain attack that installed malicious packages capable of stealing the private keys of users and draining their funds.
The attack was reported by Solana developer @trentdotsol and specifically affected versions 1.95.6 and 1.95.7 of the Solana web3.js library.
Since then, a wave of Solana-based developers have come out to confirm they are not impacted by the exploit. Unaffected firms include Solflare, Phantom Wallet, and Helium.
Solana’s web3.js is a JavaScript library accessible to developers wanting to build Solana-based apps. Reports suggest that maintainers of the library may have been targeted by a phishing campaign as attackers gained access to the “publish-access account.”
Read more: ‘Solana killer’ Sui does Solana things — goes offline for 2 hours
Through this account, the attackers introduced a private key stealer into the two versions of Solana’s web3.js library with an ‘addToQueue’ function that stole under the guise of Cloudflare headers. According to Solscan, the attackers stole close to $160,000.
Solana research firm Anza posted, “This is not an issue with the Solana protocol itself, but with a specific JavaScript client library.”
It stressed it “only appears to affect projects that directly handle private keys and that updated within the window of 3:20pm UTC and 8:25pm UTC on Tuesday, December 2, 2024.”
It claims the two exploits were “caught within hours and have since been unpublished,” and asked, “all Solana app developers to upgrade to version 1.95.8. Developers pinned to `latest` should also upgrade to 1.95.8.”
Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.