Hi everyone, this is the most recent cyber news from Hackingblogs. It is a critical piece, especially for web3 researchers. The attack on the well-known @solana/web3.js library has been compromised. Malicious code that has been inserted into compromised versions allows attackers to drain cryptocurrency wallets by stealing private keys from vulnerable developers and users.
The well-known Solana Web3.js library, a commonly used tool for creating decentralised apps (dApps) on the Solana blockchain, is vulnerable to a serious supply chain attack, according to a recent cybersecurity advisory from researchers. Early in December 2024, this hack led to the spread of backdoored versions of the library that might drain cryptocurrency wallets and steal users’ private keys.
What took place? A Brief Synopsis
The npm package Solana Web3.js, which is crucial for developers working with Solana’s blockchain and has over 400,000 weekly downloads, was the focus of the attack. Two malicious versions of the package, 1.95.6 and 1.95.7, were posted on the official npm registry on December 2, 2024.
These versions included malicious code that was hidden and used to steal users’ and developers’ private keys when they interacted with dApps that were built on Solana. Before being deleted, the hacked copies were visible for download for a short period of time—roughly five hours—between 3:20 PM UTC and 8:25 PM UTC.
Supply chain attack
This exploit is a basic supply chain attack, in which a reliable software programme is altered in order to compromise the systems of its users. In this instance, attackers were able to distribute these malicious updates by gaining access to a GitHub account with publishing privileges.
How Was the Dangerous Code Operating?
A backdoor in the compromised library versions gave hackers the ability to steal private keys from unknowing developers. An “addToQueue” method in the malicious code would send private keys to a command-and-control (C2) server using authentic-looking CloudFlare headers. Sol-rpc.xyz was the name of this server, which was eventually taken down.
The main purpose of these library versions was to support dApps that deal directly with private keys. Particularly at risk were bots and other automated tools that handle private keys. This attack did not, however, impact non-custodial wallets that do not reveal private keys during transactions.
The attack may have affected a variety of decentralised applications (dApps) that depend on Solana Web3.js to connect to the Solana blockchain, even though no significant bitcoin wallets were known to have been compromised. The affected developers were advised to rotate their private keys if they detect any compromise and to update to Solana Web3.js version 1.95.8 immediately.
Developers who installed one of the hacked versions were warned by GitHub to treat their systems as fully compromised. This involves wiping out any private information and sensitive keys, ideally from a clean computer.
Conclusion
Malicious actors frequently pose as trustworthy packages in order to target developers, as seen by earlier attacks such as the solana-systemprogram-utils npm package. These attacks can have negative impacts on entire organisations that depend on third-party tools and libraries, in addition to individual developers.
The Solana Web3.js attack is a clear reminder that security awareness is essential in the cryptocurrency and blockchain development environment, even though it did not result in widespread compromises of well-known wallets. To protect sensitive information like private keys, developers need to be on the lookout, update their software dependencies often, and take the appropriate safety measures.