Cyber security news for all

More

    Alarming Discovery: Backdoor Found in Solana’s Renowned Web3.js npm Library

    Cybersecurity experts have unearthed a sophisticated software supply chain infiltration targeting the prominent @solana/web3.js npm library. This nefarious operation involved releasing two tampered iterations of the library, engineered to exfiltrate users’ private keys, with the ultimate goal of siphoning cryptocurrency holdings.

    These compromised versions—identified as 1.95.6 and 1.95.7—have been expunged from the npm registry. Given the library’s widespread usage, attracting over 400,000 downloads weekly, the scope of the potential impact is considerable.

    In its analysis, Socket revealed, “The malicious alterations embed code designed to surreptitiously extract private keys from unsuspecting developers and end-users, enabling threat actors to deplete cryptocurrency wallets.”

    The @solana/web3.js package serves as a vital tool for interacting with Solana’s JavaScript SDK, empowering developers to craft applications using Node.js and web technologies.

    According to Christophe Tafani-Dereeper, a security researcher at Datadog, the malicious code in version 1.95.7 incorporates an addToQueue function. This function clandestinely transmits private keys via seemingly benign CloudFlare headers. He further elaborated, “Calls to this function are embedded within various legitimate operations that interact with private keys.”

    The compromised versions communicated with a command-and-control (C2) server (sol-rpc[.]xyz), which has since gone offline. This domain, registered on November 22, 2024, through NameSilo, underscores the calculated nature of this attack.

    Initial investigations suggest that the library maintainers fell prey to a phishing scheme, granting adversaries access to publish these rogue versions. Steven Luscher, one of the package’s maintainers, stated, “A publish-access account for @solana/web3.js was compromised, enabling the attackers to release unauthorized versions with code designed to pilfer private keys and drain funds from dApps and bots that directly handle such sensitive data. Non-custodial wallets are unlikely to be affected, as they typically do not expose private keys during transactions.”

    Luscher emphasized that the attack’s impact is limited to projects that updated the library between 3:20 p.m. and 8:25 p.m. UTC on December 2, 2024. He advised users to promptly update to the latest release and consider rotating their authority keys if there is any suspicion of compromise.

    This unsettling disclosure coincides with a separate warning by Socket about a counterfeit npm package, solana-systemprogram-utils. This fake library diverts funds to an attacker-controlled wallet in 2% of transactions, operating inconspicuously 98% of the time to avoid detection.

    Further compounding the issue is the discovery of malicious npm packages such as crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber. These masquerade as legitimate libraries while embedding code to steal credentials and cryptocurrency wallet data.

    Kirill Boychenko, a security researcher, remarked, “This malware poses dual threats. Individual developers risk having their credentials and wallet information stolen, resulting in direct monetary loss. For organizations, compromised systems become entry points for widespread exploitation, jeopardizing entire enterprise environments.”

    The incident underscores the precarious trust placed in open-source ecosystems and serves as a stark reminder of the vigilance required to safeguard software dependencies in a rapidly evolving threat landscape.

    Recent Articles

    Related Stories