Blog Details

  • Home
  • Blog
  • Supply Chain Attack Targets Solana npm Package to Steal Cryptocurrency
Supply Chain Attack Targets Solana npm Package to Steal Cryptocurrency

Supply Chain Attack Targets Solana npm Package to Steal Cryptocurrency

Cybersecurity researchers are raising alarms over a supply chain attack targeting the popular npm package @solana/web3.js, widely used by Solana developers. Two malicious versions of the package, 1.95.6 and 1.95.7, were found to include injected code designed to steal private keys, posing a significant threat to cryptocurrency wallets.

What Happened?

The attack compromised @solana/web3.js by introducing malicious backdoors in versions 1.95.6 and 1.95.7. These versions have since been removed from the npm registry, but during their brief availability, they posed a critical threat to developers and users relying on the package.

Technical Details

Injected Malicious Code

The rogue versions included an addToQueue function that:

  1. Exfiltrates private keys through Cloudflare headers.
  2. Sends keys to a command-and-control (C2) server, sol-rpc[.]xyz, now offline.

Attack Timeline

  1. The malicious versions were published after attackers likely compromised a maintainer account via phishing.
  2. The backdoor affected projects updated between 3:20 p.m. UTC and 8:25 p.m. UTC on December 2, 2024.

Vulnerable Projects

  1. Only affects projects that directly handle private keys.
  2. Non-custodial wallets, which do not expose private keys, remain safe.

Immediate Steps for Developers

  1. Update Immediately
    Upgrade to the patched version 1.95.8 of @solana/web3.js.
  2. Rotate Compromised Keys
    If you suspect a breach, rotate your authority keys immediately to mitigate risks.
  3. Audit Dependencies
    Conduct a thorough review of all npm packages in your project to ensure no other malicious libraries are present.

The Broader Threat Landscape

Sophisticated Techniques

This attack is part of a rising trend of supply chain attacks in the open-source ecosystem. Recent examples include:

  1. solana-systemprogram-utils: A rogue npm package rerouting funds to attacker wallets in 2% of transactions to avoid detection.
  2. crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber: Malicious npm packages stealing wallet data and credentials.

Targeting Developer Trust

Threat actors exploit the inherent trust in open-source software, introducing malicious code that can spread through enterprise environments.

Protecting Against Future Attacks

  1. Use Package Integrity Tools
    Employ tools like Socket to detect supply chain vulnerabilities in dependencies.
  2. Implement Key Management Best Practices
    Avoid handling private keys directly within applications. Use secure wallets or hardware solutions.
  3. Monitor for Indicators of Compromise
    Regularly check logs for unusual activity, such as unauthorized access or unexpected package updates.

This attack underscores the critical need for vigilance in supply chain security. Developers using @solana/web3.js should act immediately to protect their projects and funds by updating to the latest version and reviewing their codebases for any signs of compromise.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067