A critical software supply chain attack has been discovered targeting the @solana/web3.js npm library, affecting versions 1.95.6 and 1.95.7. The compromised versions, which have since been removed from the npm registry, contained malicious code designed to steal cryptocurrency wallet private keys.
Key Points:
– The package receives over 400,000 weekly downloads
– Affected versions: 1.95.6 and 1.95.7
– Attack window: December 2, 2024, 3:20-8:25 PM UTC
– Malicious code exfiltrated private keys through CloudFlare headers to sol-rpc[.]xyz
– Attack likely resulted from a phishing compromise of package maintainer accounts
Impact:
– Only affects projects directly handling private keys
– Non-custodial wallets generally unaffected
– Projects using the library as dependency are at risk
Remediation Steps:
1. Update to latest version (1.95.8)
2. Rotate authority keys if potential compromise suspected
This incident follows recent discoveries of other malicious Solana-themed packages, highlighting ongoing security concerns in the open-source ecosystem.