Solana Web3.js Library Hack Compromises Security and Steals $160K

• Attack compromises web3.js library and steals cryptocurrencies
• Versions 1.95.6 and 1.95.7 have been modified with malicious code
• Updating to version 1.95.8 is essential for security

On December 2, 2024, a serious flaw compromised the security of the @solana/web3.js JavaScript library, widely used in the development of decentralized applications (dApps) based on the Solana blockchain. The supply chain attack allowed attackers to introduce malicious code into versions 1.95.6 and 1.95.7, resulting in the theft of private keys and the drain of more than $160.000 in cryptocurrency, according to data from Solscan.

Anyone using @solana/web3.js, versions 1.95.6 and 1.95.7 are compromised with a secret stealer leaking private keys. if you or your product are using these versions, upgrade to 1.95.8 (1.95.5 is unaffected)

if you run a service that can blacklist addresses, do your thing with…

— trent.sol (@trentdotsol) December 3, 2024

The attackers gained access to the credentials of an account with publishing permissions on the npm registry, where the library is hosted. From there, they published altered versions of the library containing the malicious 'addToQueue' function. This function captured private key information and sent it to a server controlled by the attackers, disguising the traffic in seemingly legitimate Cloudflare headers.

At the time of publication, Solana's price was quoted at $230,19, up 2.5% in the last 24 hours.

Community Impact and Response
The attack was quickly identified and the compromised versions were removed from npm within five hours. A clean update, version 1.95.8, was published to replace the affected versions. The incident primarily affected developers who updated to the compromised versions during the time frame of 3:20 PM UTC to 8:25 PM UTC on December 2.

Steven Luscher, one of the library’s maintainers, clarified that “this is not an issue with the Solana protocol, but rather with a specific JavaScript client library.” He emphasized that the incident was limited to projects that directly handle private keys, such as bots and backend systems. Non-custodial wallets such as Phantom and Solflare confirmed that they were not impacted, reassuring their users about the safety of their funds.

Recommended Safety Measures
Supply chain attacks like this one demonstrate the risk of relying on external dependencies without regular audits. The Solana community has urged developers to immediately update to version 1.95.8 and conduct a thorough review of their projects, especially those that rely on older versions of the library. It is also recommended that any potentially compromised private keys be rotated.

Practices such as maintaining an audited dependency list, utilizing integrity checking tools, and performing regular updates are essential to mitigate similar attacks. This type of attack not only threatens developers, but also end users who rely on the security of Solana blockchain-based platforms.