Solana’s popular web3.js library backdoored in supply chain compromise
A software supply chain attack has lead to the publication of malicious versions of Solana’s web3.js library on the npm registry.
Just like the recent Lottie Player supply chain compromise, this attack was reportedly made possible due to compromised (phished) npm.js account credentials.
What happened?
“Earlier today, a publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana [decentralized apps]. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly,” Steven Luscher, one of the library’s maintainers, confirmed on Tuesday.
“This is not an issue with the Solana protocol itself, but with a specific JavaScript client library and only appears to affect projects that directly handle private keys and that updated within the window of 3:20pm UTC and 8:25pm UTC on Tuesday, December 2, 2024.”
Versions 1.95.6 and 1.95.7 of the library are compromised and have been “unpublished”. Version 1.95.8 is the “clean” version Solana app developers are asked to upgrade to.
“Developers that suspect they might be compromised should rotate any suspect authority keys, including multisigs, program authorities, server keypairs, and so on,” Luscher concluded.
The impact
Christophe Tafani-Dereeper, a security researcher with SaaS cloud monitoring company Datadog, explained how the malicious code injected in the compromised library versions exfiltrates the private key through CloudFlare headers.
The impact of this attack is yet to be felt, though it looks like major wallets and apps have not been affected, according to Helius CEO Mert Mumtaz.
“In general, wallets should not be affected since they don’t expose private keys — the biggest effect would be on people running JS bots on the backend (i.e., not user facing) with private keys on those servers *if* they updated to this version within the timeframe (last few hours until the patch),” he said.
“If you’re a solana dev, check your packages NOW to ensure you don’t use these versions now or in the future — especially check any automations.”