Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

Solana Web3.js Library Backdoored in Supply Chain Attack

Supply chain attack leads to decentralized application developers downloading backdoored versions of the Solana Web3.js library.

Solana Web3 supply chain attack

Some decentralized application developers this week downloaded backdoored versions of the Solana Web3.js library after an attacker compromised a GitHub account with publish rights.

Solana Web3.js is a JavaScript library that developers commonly use to build decentralized applications (dapps) for Node, web, and React Native. With over 400,000 weekly downloads, the library ensures communication between dapps and accounts and programs on the Solana network. 

The incident was disclosed on Tuesday, after two malicious versions of the library were available for download for roughly five hours through the official repository.

The backdoored iterations, namely versions 1.95.6 and 1.95.7, contained code that allowed the attackers to steal private key material and drain funds from dapps, the project’s maintainers noted in web3.js 1.95.8 release notes.

“This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions. This is not an issue with the Solana protocol itself, but with a specific JavaScript client library and only appears to affect projects that directly handle private keys,” the Solana web3.js maintainers said.

The malicious library versions were available for download between 3:20pm UTC and 8:25pm UTC on December 2, 2024. Both have been removed from the repository and a clean version (1.95.8) was released.

Developers who downloaded one of the backdoored versions are advised to update to Solana Web3.js version 1.95.8 as soon as possible and rotate any suspect keys and account credentials.

According to a GitHub advisory, however, developers who installed one of the malicious versions should consider their systems fully compromised and reset all secrets and keys, from a different computer.

Advertisement. Scroll to continue reading.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” GitHub warned.

According to Binance, no major cryptocurrency wallets have been hacked as part of the supply chain attack, but incidents were reported: “It is speculated that third-party tools related to private keys, including bots, might have been compromised due to their timely updates of dependency packages.”

Related: Hackers Stole $1.49 Billion in Cryptocurrency to Date in 2024

Related: Verifying Software Integrity With Sigstore

Related: Defeating the Organized Cybercrime Ecosystem

Related: Lessons Learned From High-Profile Exploits

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.