• Cyber Syrup
  • Posts
  • Malicious Versions of Solana Web3.js Library Target Cryptocurrency Wallets

Malicious Versions of Solana Web3.js Library Target Cryptocurrency Wallets

Cybersecurity researchers have uncovered a supply chain attack targeting the widely-used solana web3.js npm library

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Need a personal assistant? We do too, that’s why we use AI.

Ready to embrace a new era of task delegation?

HubSpot’s highly anticipated AI Task Delegation Playbook is your key to supercharging your productivity and saving precious time.

Learn how to integrate AI into your own processes, allowing you to optimize your time and resources, while maximizing your output with ease.

Malicious Versions of Solana Web3.js Library Target Cryptocurrency Wallets

Cybersecurity researchers have uncovered a supply chain attack targeting the widely-used @solana/web3.js npm library. This library, crucial for interacting with the Solana blockchain in JavaScript applications, was compromised by two malicious versions—1.95.6 and 1.95.7. These rogue versions contained injected code designed to steal users' private keys, putting cryptocurrency wallets at significant risk.

While these versions are no longer available on the npm registry, the incident has highlighted the vulnerabilities in software supply chains. The package, with over 400,000 weekly downloads, underscores the widespread impact such attacks can have.

What Happened?

The attack leveraged malicious updates to the @solana/web3.js package to introduce a backdoor for harvesting sensitive data:

  • Malicious Code: Versions 1.95.6 and 1.95.7 included injected code that exploited legitimate Cloudflare headers to exfiltrate private keys.

  • Target Audience: The primary targets were developers and applications that directly handle private keys, such as bots and decentralized applications (dApps).

  • Command-and-Control Server: The stolen data was exfiltrated to a now-inactive domain, sol-rpc[.]xyz, which was registered on November 22, 2024.

  • Phishing Attack Suspected: Evidence suggests the attackers gained access to the npm maintainer’s account through a phishing attack, allowing them to publish the rogue versions.

Who Is at Risk?

Affected Parties

  1. Developers Using @solana/web3.js: Projects relying on this package to handle private keys directly are at the highest risk.

  2. dApps and Bots: Applications that updated to the compromised versions between 3:20 p.m. UTC and 8:25 p.m. UTC on December 2, 2024, are particularly vulnerable.

  3. End Users: While non-custodial wallets are largely unaffected, users interacting with compromised dApps may face indirect risks.

Unaffected Parties

  • Projects and wallets that do not directly expose or handle private keys during transactions.

Key Technical Details

The malicious versions introduced an addToQueue function that surreptitiously exfiltrated private keys. This function was embedded into legitimate areas of the library that accessed sensitive key information, ensuring minimal suspicion. While the attack’s scale remains unclear, the compromised versions posed a significant risk to projects and users relying on the package.

How to Protect Yourself

For Developers

  1. Update Immediately: Ensure you are using the latest, secure version of @solana/web3.js (1.95.8 or newer).

  2. Audit Dependencies: Regularly review and audit third-party dependencies for unusual changes or vulnerabilities.

  3. Rotate Keys: If you suspect exposure, rotate any authority keys and update them within your projects.

  4. Isolate Keys: Avoid handling private keys directly in your application code. Instead, use hardware wallets or secure key management solutions.

For Organizations

  1. Implement Dependency Management: Use automated tools to monitor and manage dependencies in real time.

  2. Secure Developer Accounts: Educate team members about phishing threats and enable two-factor authentication (2FA) on all developer accounts.

  3. Monitor for Indicators of Compromise: Set up monitoring for unusual behavior in applications and API interactions.

For Users

  1. Verify dApp Updates: Confirm that the decentralized applications you use are not running compromised versions of libraries.

  2. Use Non-Custodial Wallets: Protect your private keys by relying on secure wallets that do not expose them during transactions.

Broader Implications for the Ecosystem

This incident reflects a growing trend of attackers targeting open-source ecosystems to exploit the trust developers place in widely-used libraries:

  • Recent Examples: Threat actors recently introduced bogus Solana-themed npm packages (solana-systemprogram-utils) designed to siphon funds stealthily. These packages function normally 98% of the time, cleverly masking malicious activity.

  • Supply Chain Vulnerabilities: Other npm libraries, including crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber, have also been exposed as malicious, highlighting the ongoing abuse of open-source repositories.

Recommendations for the Open-Source Community

  • Enhanced Repository Security: Package managers like npm should adopt stricter controls and automated scanning for malicious code.

  • Developer Awareness: Education about supply chain risks must become a priority to reduce the success rate of phishing and similar attacks.

Conclusion

The attack on @solana/web3.js is a stark reminder of the security risks inherent in software supply chains. While the immediate threat has been mitigated, the incident underscores the need for vigilance, both from developers and organizations relying on open-source tools. By implementing robust security practices and staying informed about evolving threats, stakeholders can better protect their projects and users from similar exploits in the future.