Introduction

A significant software supply chain attack has compromised the @solana/web3.js npm library [2], a critical tool for developers building decentralized applications on the Solana blockchain [5]. This incident highlights the vulnerabilities inherent in open-source ecosystems and the potential risks posed by malicious actors exploiting trusted libraries.

Description

A software supply chain attack has targeted the popular @solana/web3.js npm library [9], which is essential for developers creating decentralized applications on the Solana blockchain [5] [6]. On December 2, 2024 [1] [3], hackers compromised a developer’s account [5], allowing them to publish malicious versions 1.95.6 and 1.95.7 of the library [4]. These versions were specifically designed to harvest private keys from developers and users, enabling attackers to drain cryptocurrency wallets [3] [7]. The malicious code included an ‘addToQueue’ function that transmitted private key data via Cloudflare headers to a command-and-control server, “sol-rpc[ [3] [7]]xyz,” which has since been taken offline. The attack was likely executed through a phishing scheme that compromised the publish-access account.

Projects that directly handle private keys [1] [3] [6], such as bots and automated scripts [7], were particularly affected [5] [7], while major wallets like Phantom and Coinbase confirmed they were not significantly impacted, as they did not integrate the compromised versions [1]. Non-custodial wallets [1] [7], which do not expose private keys during transactions [1], remained unaffected [1] [7] [8]. Developers who updated their dependencies between 3:20 PM UTC and 8:25 PM UTC on that day faced significant risks, as the malicious versions were available for download during this five-hour window before being detected and removed from npm shortly thereafter.

To mitigate risks [1], users of the affected versions are advised to audit their dependencies, downgrade to a safe version prior to 1.95.6 [4], or upgrade to version 1.95.8 [1] [5] [6] [8], which has removed the malicious injections [4]. Additionally, developers should rotate and regenerate any potentially compromised authority keys, including multisigs and server keypairs [2], and verify their packages to avoid using the affected versions [2]. A warning from the GitHub Advisory Database stated that any system running the compromised package should be considered fully compromised [6], urging immediate rotation of all secrets and keys from a secure computer and removal of the package [6], although it noted that complete removal of malicious software could not be guaranteed [6]. This incident underscores the increasing prevalence of supply chain attacks in the open-source ecosystem [3], where attackers exploit trust in widely-used libraries to target a larger user base, highlighting the importance of maintaining security best practices [7].

Conclusion

The attack on the @solana/web3.js npm library serves as a stark reminder of the growing threat of supply chain attacks within open-source environments. It underscores the necessity for developers to remain vigilant, regularly audit their dependencies, and adhere to security best practices. The incident also emphasizes the importance of rapid response and mitigation strategies to minimize potential damage. As the open-source community continues to expand, the need for robust security measures and awareness of potential vulnerabilities becomes increasingly critical to safeguard against future threats.

References

[1] https://www.infosecurity-magazine.com/news/solana-library-supply-chain-attack/
[2] https://www.helpnetsecurity.com/2024/12/04/solana-web3-js-supply-chain-compromise/
[3] https://cybermaterial.com/backdoor-discovered-in-solana-npm-library/
[4] https://www.csoonline.com/article/3617893/solana-sdk-backdoored-for-stealing-secrets-private-keys.html
[5] https://decrypt.co/294742/solana-web3-js-library-compromised-in-targeted-supply-chain-attack
[6] https://arstechnica.com/information-technology/2024/12/backdoor-slips-into-popular-code-library-drains-155k-from-digital-wallets/
[7] https://vulert.com/blog/solana-web3js-npm-backdoor/
[8] https://protos.com/solana-dev-library-web3-js-compromised-to-steal-private-keys/
[9] https://news.backbox.org/2024/12/04/researchers-uncover-backdoor-in-solanas-popular-web3-js-npm-library/