December 5, 2024 at 06:16PM
Compromised versions of the @solana/web3.js JavaScript library were distributed via npm, allowing attackers to insert malicious code and steal private keys. The breach affected users during a specific timeframe, resulting in an estimated loss of $130K. Two affected versions have since been unpublished, and investigations are ongoing.
### Meeting Takeaways
1. **Malware Incident Overview:**
– Compromised versions of the popular JavaScript library **@solana/web3.js** were distributed via the **npm package registry**.
– The issue originates from a hijacked @solana account that added malicious code.
2. **Vulnerability Details:**
– The vulnerability has been documented under **CVE-2024-54134** (CVSS score: 8.3 High).
– It allowed unauthorized packages to be published, leading to potential theft of private key material.
3. **Impact on Users:**
– The affected library typically has nearly **500,000 weekly downloads** and is utilized by decentralized applications (dapps) on the Solana blockchain.
– Notably, **non-custodial wallets** are not impacted, but **dapps** that interacted with the compromised versions (1.95.6 and 1.95.7) during the specified window (December 3, 2024, from 3:20 PM to 8:25 PM UTC) may have been exposed.
4. **Financial Implications:**
– Estimated financial losses from the incident are approximately **$130,000 USD**.
5. **Root Cause Analysis:**
– The attack likely began with a **spear phishing email** sent to a member of the @solana npm organization, compromising their credentials, including two-factor authentication.
– Awareness of the exploit arose after a core contributor noticed unauthorized asset transfers, prompting further investigation.
6. **Specific Technical Findings:**
– A backdoor added in version **1.95.7** was identified, which had the capability to exfiltrate private keys disguised within legitimate Cloudflare headers.
7. **Security Recommendations:**
– Developers are advised to use tools such as **Socket.dev’s free command-line tool** to check for compromised packages.
8. **Next Steps:**
– Vigilance should be maintained regarding updates from the Solana team for further security advisories or patches related to this incident. Developers must also ensure their applications are secure against similar attacks in the future.