December 4, 2024 at 05:06AM
Cybersecurity researchers have identified a software supply chain attack targeting the @solana/web3.js npm library, with malicious versions 1.95.6 and 1.95.7 designed to steal users’ private keys and drain cryptocurrency wallets. Affected users are advised to update their versions and potentially rotate their authority keys.
### Meeting Takeaways – December 4, 2024
**Subject:** Supply Chain Attack on @solana/web3.js npm Library
1. **Overview of Attack:**
– A supply chain attack has targeted the popular @solana/web3.js npm library, where two malicious versions (1.95.6 and 1.95.7) were pushed to the npm registry.
– These versions are designed to harvest users’ private keys, potentially draining their cryptocurrency wallets.
2. **Impact of Malicious Versions:**
– The compromised package is widely used, with over 400,000 weekly downloads.
– The attack involved injecting malicious code aimed at stealing private keys from developers and users.
3. **Technical Details:**
– Researcher Christophe Tafani-Dereeper reported that version 1.95.7 included a backdoor feature called ‘addToQueue,’ which exfiltrated private keys disguised as legitimate CloudFlare headers.
– The command-and-control server used for exfiltration (sol-rpc[.]xyz) has been taken down and was registered on November 22, 2024.
4. **Cause of the Breach:**
– It is suspected that maintainers of the package were victims of a phishing attack, allowing attackers to gain control of the publishing account.
– Steven Luscher, a library maintainer, confirmed that unauthorized packages were published due to this compromise.
5. **Scope of the Incident:**
– Only projects that directly handled private keys and were updated between December 2, 2024, from 3:20 p.m. to 8:25 p.m. UTC are impacted.
– Non-custodial wallets are not affected, as they typically don’t expose private keys during transactions.
6. **User Advisory:**
– Users relying on @solana/web3.js should update to the latest version immediately and consider rotating their authority keys if there’s a suspicion of compromise.
7. **Related Security Concerns:**
– This incident follows the emergence of other malicious npm packages, such as the bogus solana-systemprogram-utils, which reroutes funds to attacker-controlled wallets.
– Other compromised packages (crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber) were also reported, emphasizing ongoing threats in the open-source ecosystem.
8. **Implications:**
– The malware poses a risk to individual developers and can lead to significant financial losses.
– For organizations, compromised systems may lead to broader vulnerabilities and exploitation across enterprise environments.
**Next Steps:**
– Ensure teams using the affected library update their dependencies.
– Monitor for any unusual activity related to private key handling.
– Stay vigilant regarding phishing attempts targeting development accounts.
**For Further Information:** Follow us on Twitter and LinkedIn for more updates.