Solana blockchain's popular web3.js npm package backdoored to steal keys, funds

Malware-poisoned versions of the widely used JavaScript library @solana/web3.js were distributed via the npm package registry, according to an advisory issued Wednesday by project maintainer Steven Luscher.

An advisory, covering CVE-2024-54134 (CVSS-B: 8.3 High), explains that a hijacked @solana account with permission to publish the library was used to add malicious code.

The library typically sees almost half a million weekly downloads. It's used in decentralized apps, or dapps, tied to the Solana blockchain, which is not itself affected.

The compromised npm account gave an attacker the opportunity "to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly," the advisory states, before explaining that non-custodial wallets should not be affected.

Two affected versions (1.95.6 and 1.95.7) of the library have since been unpublished. Solana dapps that fetched the @solana/web3.js library as a direct or transitive dependency while those versions were available - a window from 3:20pm UTC to 8:25pm UTC on Tuesday, December 3, 2024 - may have downloaded the malicious code.

Mert Mumtaz, CEO of Helius Labs, which makes Solana tools, estimated that the financial loss to unspecified persons "is roughly 130K USD so far."

"In general, wallets should not be affected since they don't expose private keys - the biggest effect would be on people running JavaScript bots on the backend (ie, not user facing) with private keys on those servers if they updated to this version within the timeframe (last few hours until the patch)," wrote Mumatz in a social media post.

Solana research and development firm Anza has posted a root cause analysis of the incident that suggests the attack began with a spear phishing email on Tuesday, December 3, at 1520 UTC, to an @solana npm org member with publish access.

The phishing gambit is said to have captured the victim's username, password, and two-factor authentication details.

Anza's analysis indicates that the attack came to light after "a core contributor of @solana/web3.js was alerted of the exploit by an ecosystem team that had installed one of the malicious versions into their application and had deployed it." The affected individual is said to have noticed the unauthorized transfer of assets from unspecified digital wallets to another account.

In a social media post, Christophe Tafani-Dereeper, a security researcher for Datadog, wrote: "The backdoor inserted in v1.95.7 adds an 'addToQueue' function which exfiltrates the private key through seemingly-legitimate Cloudflare headers."

Socket.dev, a software security biz, advises developers to run its free command-line tool to check for the presence of compromised packages. ®

Search
About Us
Website HardCracked provides softwares, patches, cracks and keygens. If you have software or keygens to share, feel free to submit it to us here. Also you may contact us if you have software that needs to be removed from our website. Thanks for use our service!
IT News
Jan 24
Mental toll: Scale AI, Outlier sued by humans paid to steer AI away from our darkest depths

Who guards the guardrail makers? Not the bosses who hire them, it's alleged

Jan 24
OpenAI's Operator agent wants to tackle your online chores - just don't expect it to nail every task

Hello Operator? Can you give me number nine? Can I see you later? Will you give me back my dime?

Jan 23
Musk torches $500B Stargate AI plan, Altman strikes back

OpenAI boss tell world's richest man money is there to fund infrastructure project

Jan 23
ChatGPT has a Thursday lie down

OUTAGE Generative AI needs a break, just like the rest of us, m'kay?

Jan 23
VMware users gripe over 3-year commitment to renew licenses

Chips and software giant Broadcom says it's 'flexible and open' on licensing terms, but customers disagree

Jan 23
SK hynix wobbles on market uncertainty, despite record 2024 earnings

Shares slide at 'most profitable' company in Korea as world worries over geopolitics

Jan 23
Why is Big Tech hellbent on making AI opt out?

Opinion As Microsoft, Apple, and Google switch the tech on by default, what happened to asking for permission first?