Some decentralized application developers this week downloaded backdoored versions of the Solana Web3.js library after an attacker compromised a GitHub account with publish rights.
Solana Web3.js is a JavaScript library that developers commonly use to build decentralized applications (dapps) for Node, web, and React Native. With over 400,000 weekly downloads, the library ensures communication between dapps and accounts and programs on the Solana network.
The incident was disclosed on Tuesday, after two malicious versions of the library were available for download for roughly five hours through the official repository.
The backdoored iterations, namely versions 1.95.6 and 1.95.7, contained code that allowed the attackers to steal private key material and drain funds from dapps, the project’s maintainers noted in web3.js 1.95.8 release notes.
“This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions. This is not an issue with the Solana protocol itself, but with a specific JavaScript client library and only appears to affect projects that directly handle private keys,” the Solana web3.js maintainers said.
The malicious library versions were available for download between 3:20pm UTC and 8:25pm UTC on December 2, 2024. Both have been removed from the repository and a clean version (1.95.8) was released.
Developers who downloaded one of the backdoored versions are advised to update to Solana Web3.js version 1.95.8 as soon as possible and rotate any suspect keys and account credentials.
According to a GitHub advisory, however, developers who installed one of the malicious versions should consider their systems fully compromised and reset all secrets and keys, from a different computer.
Advertisement. Scroll to continue reading.
“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” GitHub warned.
According to Binance, no major cryptocurrency wallets have been hacked as part of the supply chain attack, but incidents were reported: “It is speculated that third-party tools related to private keys, including bots, might have been compromised due to their timely updates of dependency packages.”
Related: Hackers Stole $1.49 Billion in Cryptocurrency to Date in 2024
Related: Verifying Software Integrity With Sigstore