Solana blockchain's popular web3.js npm package backdoored to steal keys, funds

Malware-poisoned versions of the widely used JavaScript library @solana/web3.js were distributed via the npm package registry, according to an advisory issued Wednesday by project maintainer Steven Luscher.

An advisory, covering CVE-2024-54134 (CVSS-B: 8.3 High), explains that a hijacked @solana account with permission to publish the library was used to add malicious code.

The library typically sees almost half a million weekly downloads. It’s used in decentralized apps, or dapps, tied to the Solana blockchain, which is not itself affected.

The compromised npm account gave an attacker the opportunity "to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly," the advisory states, before explaining that non-custodial wallets should not be affected.

Two affected versions (1.95.6 and 1.95.7) of the library have since been unpublished. Solana dapps that fetched the @solana/web3.js library as a direct or transitive dependency while those versions were available – a window from 3:20pm UTC to 8:25pm UTC on Tuesday, December 3, 2024 – may have downloaded the malicious code.

Mert Mumtaz, CEO of Helius Labs, which makes Solana tools, estimated that the financial loss to unspecified persons "is roughly 130K USD so far."

"In general, wallets should not be affected since they don't expose private keys – the biggest effect would be on people running JavaScript bots on the backend (ie, not user facing) with private keys on those servers if they updated to this version within the timeframe (last few hours until the patch)," wrote Mumatz in a social media post.

• T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'
• Perfect 10 directory traversal vuln hits SailPoint's IAM solution
• Data on 760K workers from Xerox, Nokia, BofA, Morgan Stanley and more dumped online
• RansomHub claims to net data hat-trick against Bologna FC

Solana research and development firm Anza has posted a root cause analysis of the incident that suggests the attack began with a spear phishing email on Tuesday, December 3, at 1520 UTC, to an @solana npm org member with publish access.

The phishing gambit is said to have captured the victim's username, password, and two-factor authentication details.

Anza's analysis indicates that the attack came to light after "a core contributor of @solana/web3.js was alerted of the exploit by an ecosystem team that had installed one of the malicious versions into their application and had deployed it." The affected individual is said to have noticed the unauthorized transfer of assets from unspecified digital wallets to another account.

In a social media post, Christophe Tafani-Dereeper, a security researcher for Datadog, wrote: "The backdoor inserted in v1.95.7 adds an 'addToQueue' function which exfiltrates the private key through seemingly-legitimate Cloudflare headers."

Socket.dev, a software security biz, advises developers to run its free command-line tool to check for the presence of compromised packages. ®