Cybersecurity researchers are alerting to a software supply chain attack targeting the popular @solana/web3.js npm library that involved pushing two malicious versions capable of harvesting users' private keys with an aim to drain their cryptocurrency wallets.
The attack has been detected in versions 1.95.6 and 1.95.7. Both these versions are no longer available for download from the npm registry. The package is widely used, attracting over 400,000 weekly downloads.
"These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets," Socket said in a report.
@solana/web3.js is an npm package that can be used to interact with the Solana JavaScript software development kit (SDK) for building Node.js and web apps.
According to Datadog security researcher Christophe Tafani-Dereeper, "the backdoor inserted in v1.95.7 adds an 'addToQueue' function which exfiltrates the private key through seemingly-legitimate CloudFlare headers" and that "calls to this function are then inserted in various places that (legitimately) access the private key."
The command-and-control (C2) server to which the keys are exfiltrated to ("sol-rpc[.]xyz") is currently down. It was registered on November 22, 2024, on domain registrar NameSilo.
It's suspected that the maintainers of the npm package fell victim to a phishing attack that allowed the threat actors to seize control of the accounts and publish the rogue versions.
"A publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dApps," Steven Luscher, one of the library maintainers, said in the release notes for version 1.95.8.
"This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dApps, like bots, that handle private keys directly. This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions."
Luscher also noted that the incident only impacts projects that directly handle private keys and that were updated within the window of 3:20 p.m. UTC and 8:25 p.m. UTC on December 2, 2024.
Users who are relying on @solana/web3.js as a dependency are advised to update to the latest version as soon as possible, and optionally rotate their authority keys if they suspect they are compromised.
The disclosure comes days after Socket warned of a bogus Solana-themed npm package named solana-systemprogram-utils that's designed to sneakily reroute a user's funds to an attacker-controlled hard-coded wallet address in 2% of transactions.
"The code cleverly masks its intent by functioning normally 98% of the time," the Socket Research Team said. "This design minimizes suspicion while still allowing the attacker to siphon funds."
It also follows the discovery of npm packages such as crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber that masquerade as legitimate libraries but contain code to siphon credentials and cryptocurrency wallet data, once again highlighting how threat actors are continuing to abuse the trust developers place in the open-source ecosystem.
"The malware threatens individual developers by stealing their credentials and wallet data, which can lead to direct financial losses," security researcher Kirill Boychenko noted. "For organizations, compromised systems create vulnerabilities that can spread throughout enterprise environments, enabling widespread exploitation."
Update
The software supply chain attack targeting the @solana/web3.js npm library has been formally assigned the CVE identifier CVE-2024-54134 (CVSS score: 8.3).
A root cause analysis published by Solana research and development firm Anza has revealed that the attack commenced on December 3, 2024, with a spear-phishing email targeting a @solana npm org member with publish access, thereby allowing the threat actor to steal their credentials and two-factor authentication (2FA) code.
"The hacker sent several emails inviting them to collaborate on a private package," Anza said. "The invite was crafted in such a way that made it appear to have originated from another member of the team."
"When clicked, the successful spear phishing campaign routed a developer with publish access to a clone of the npm website controlled by the hacker where the developer entered their npm username and password, and completed a round of two-factor authentication."
The attack has been found to have led to the unauthorized transfers of crypto assets worth $164,100 (674.86 SOL) to an adversary-controlled wallet, according to Solscan and Solana Explorer.
"The majority of software supply chain attacks that target the open source ecosystem rely on social engineering tactics for success," ReversingLabs' Chief Software Architect, Tomislav Peričin, said. "Such attacks have a tiny blast radius, affecting only a few developers before they get discovered and are taken down."
"This attack is a stark reminder that the trust in software integrity is at an all time low, and that open-source security is a far greater challenge than keeping up with the news and filtering out newly published or untrusted packages."
