– Two malicious versions (1.95.6 and 1.95.7) were released through a compromised publish-access account
– The attack targeted cryptocurrency private keys and wallet credentials
– Approximately 350,000 weekly downloads were potentially affected
– The breach lasted from 3:20pm to 8:25pm UTC on December 2, 2024
Technical Details:
– Attackers implemented a malicious “addToQueue” function
– Five key functions were compromised:
* fromSecretKey()
* fromSeed()
* createInstructionWithPublicKey()
* createInstructionWithPrivateKey()
* account constructor
– Stolen data was sent to https://sol-rpc[.]xyz/api/rpc/queue
Impact:
– Estimated $184,000 in cryptocurrency stolen
– Multiple tokens affected including Solana, USD Coin, and various others
– Non-custodial wallets were generally unaffected
Remediation:
– Users should upgrade to version 1.95.8
– Affected users must rotate all keys
– Compromised wallets should be abandoned and funds transferred to new wallets