Backdoor Introduced in Solana Web3.js Library to Steal Private Keys
On December 2, 2024, the Solana Web3.js package was compromised in a supply chain attack following the hacking of an authorized account. A backdoor was added to the library’s code, enabling the theft of private cryptocurrency keys.
The @solana/web3.js library, downloaded approximately 400,000 times weekly from npm, is widely used by developers to create decentralized applications (dApps) for Node.js, web platforms, and React Native. It facilitates interaction between dApps, accounts, and programs in the Solana network.
Discovery of the Attack
The supply chain attack was first identified by analysts at Socket. According to their report, two versions of the library, 1.95.6 and 1.95.7, were replaced with malicious variants and were available for download via the official repository for about five hours (from 3:20 PM to 8:25 PM UTC on December 2, 2024).
These compromised versions contained harmful code that allowed attackers to steal private keys from developers and users, ultimately enabling cryptocurrency theft.
Malicious Code Details
Christophe Tafani-Dereeper, a cybersecurity expert at DataDog, revealed that attackers added a malicious function named addToQueue to the library’s code. This function secretly captured private keys under the guise of legitimate Cloudflare headers and transmitted the data to a hacker-controlled server.
Maintainer Response and Recommendations
Solana’s maintainers have confirmed the breach. They explained that the attack occurred due to the compromise of an account with publishing rights, allowing the attackers to upload the malicious library versions.
Developers who interacted with the compromised versions are urged to:
Immediately update to the latest version (1.95.8).
Rotate all keys, secrets, and credentials associated with their projects.
“This issue should not affect non-custodial wallets as they typically do not expose private keys during transactions. The problem lies with the specific JavaScript client library and appears to impact only projects directly handling private keys,” the maintainers clarified.
System Security Concerns
GitHub experts warn that simply uninstalling the package may not remove other malicious software potentially introduced during its installation. Developers should assume their systems are fully compromised and take appropriate steps to secure them.
Industry Reactions
Binance representatives commented on the incident, stating that no major cryptocurrency wallets were breached as part of this supply chain attack. However, they noted that related tools involving private keys, such as bots, might have been compromised due to dependency updates.
Tracing the Stolen Assets
Socket analysts traced the attack to the wallet address FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx, which currently holds 674.86 Solana tokens alongside various others, including Irish Pepe, Star Atlas, Jupiter, USD Coin, and more. The estimated value of the stolen cryptocurrency exceeds $180,000.