Cybersecurity researchers are alerting to a software supply chain attack targeting the popular @solana/web3.js npm library that involved pushing two malicious versions capable of harvesting users’ private keys with an aim to drain their cryptocurrency wallets.
The attack has been detected in versions 1.95.6 and 1.95.7. Both these versions are no longer available for download from the npm registry. The package is widely used, attracting over 400,000 weekly downloads.
“These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets,” Socket said in a report.
@solana/web3.js is an npm package that can be used to interact with the Solana JavaScript software development kit (SDK) for building Node.js and web apps.
According to Datadog security researcher Christophe Tafani-Dereeper, “the backdoor inserted in v1.95.7 adds an ‘addToQueue’ function which exfiltrates the private key through seemingly-legitimate CloudFlare headers” and that “calls to this function are then inserted in various places that (legitimately) access the private key.”
The command-and-control (C2) server to which the keys are exfiltrated to (“sol-rpc[.]xyz”) is currently down. It was registered on November 22, 2024, on domain registrar NameSilo.
It’s suspected that the maintainers of the npm package fell victim to a phishing attack that allowed the threat actors to seize control of the accounts and publish the rogue versions.
“A publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dApps,” Steven Luscher, one of the library maintainers, said in the release notes for version 1.95.8.
“This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dApps, like bots, that handle private keys directly. This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions.”
Luscher also noted that the incident only impacts projects that directly handle private keys and that were updated within the window of 3:20 p.m. UTC and 8:25 p.m. UTC on December 2, 2024.
Users who are relying on @solana/web3.js as a dependency are advised to update to the latest version as soon as possible, and optionally rotate their authority keys if they suspect they are compromised.
The disclosure comes days after Socket warned of a bogus Solana-themed npm package named solana-systemprogram-utils that’s designed to sneakily reroute a user’s funds to an attacker-controlled hard-coded wallet address in 2% of transactions.
“The code cleverly masks its intent by functioning normally 98% of the time,” the Socket Research Team said. “This design minimizes suspicion while still allowing the attacker to siphon funds.”
It also follows the discovery of npm packages such as crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber that masquerade as legitimate libraries but contain code to siphon credentials and cryptocurrency wallet data, once again highlighting how threat actors are continuing to abuse the trust developers place in the open-source ecosystem.
“The malware threatens individual developers by stealing their credentials and wallet data, which can lead to direct financial losses,” security researcher Kirill Boychenko noted. “For organizations, compromised systems create vulnerabilities that can spread throughout enterprise environments, enabling widespread exploitation.”
