A supply chain attack on the commonly used @solana/web3.js NPM library, aimed at private keys to steal funds, has endangered developers and cryptocurrency -users. The malignant versions, 1.95.6 and 1.95.7, were briefly published on December 2, 2024, but have since been removed.
The attack exploited the library’s underholders, probably through phishing, so that attackers could inject malignant code. Security researchers have shown that the code has extracted private keys into an attacker-controlled server, SOL-RPC[.]XYZ, registered days before the infringement.
Christophe Taafani-Deeper, a cloud security investigator, identified the back-pass “addtoqueuee”, which hijacked key-sensitive processes within the package.
The malignant activity influenced projects that handled private keys directly and updated their dependencies within the five -hour attack window. These include decentralized applications (DAPPs) or automated bots that depend on private keys to work.
Non-right portfolios, which do not uncover private keys during transactions, were not influenced. The stolen assets, mainly in Sol -Tokens, are estimated to be between $ 130,000 and $ 160,000. Large portfolios such as Phantom and Coinbase confirmed that they were not influenced because they did not integrate the compromised versions.
Read more about threats aimed at cryptocurrency activa: US gets illegal cryptocurrency mixing service Samourai Wallet Down Down Down Down Down Down Down Down Down Down Down Down Down Down
Preventive steps for developers
Solana Labs and other experts have recommended these actions for developers:
-
Audit dependence to identify the use of @solana/web3.js versions 1.95.6 or 1.95.7
-
Update to version 1.95.8 Immediately
-
Rotate keys, including multi-sigs and program authorities, as a compromise is suspected
The incident emphasizes constant vulnerabilities in open-source software feed chains. This attack follows other infringements on the NPM package, such as Crypto-Keccak and Solana system program-utils, which were in the same way aimed at cryptocurrency portfolios.
“We have seen many different attacks on crypto this year; the ease of stealing portfolios in combination with the value in the wallet is a tempting target,” said Katie Paxton-Fear, API researcher at Traceingable AI.
“Combined with the increase in attacks by Supply Chain, it might not be surprising to see that a threat actor combined the two attack from the supply chain that is aimed at the portfolios of web 3.0 developers.”
The wider impact
Although large portfolios such as Phantom and Coinbase were not affected, many developers who integrated the library were exposed into smaller Dapps and aids. Security firm socket called for increased vigilance in managing dependencies in risky environments.
This attack underlines the need for robust security of the supply chain, especially because cryptocurrency ecosystems continue to grow.
“To combat this growing threat, security programs must evolve beyond traditional CVE-based vulnerability management,” warned CEO of Spaiction, Joe Silva.
“A proactive approach that emphasizes the insight into the risks of software components and their runtime behavior will be crucial for effective managing of third-party software and securing the software feed chain.”