Full Report
Cybersecurity researchers are alerting to a software supply chain attack targeting the popular @solana/web3.js npm library that involved pushing two malicious versions capable of harvesting users' private keys with an aim to drain their cryptocurrency wallets. The attack has been detected in versions 1.95.6 and 1.95.7. Both these versions are no longer available for download from the npm
Analysis Summary
This summary is based on the provided context describing the supply chain attack targeting the Solana Web3.js npm library. Since the source article does not explicitly provide CVE identifiers or CVSS scores, placeholders based on the context will be used, assuming it would be tracked under a formal identifier.
# Vulnerability: Supply Chain Backdoor in Solana Web3.js npm Library
## CVE Details
- CVE ID: [Not explicitly provided, tracking required]
- CVSS Score: [Not explicitly provided, estimated High due to key theft] (Severity: TBD)
- CWE: CWE-502 (Deserialization of Untrusted Data) or CWE-20 (Improper Input Validation), depending on the precise vector of compromise, but fundamentally a **Supply Chain Compromise (CWE-807)**.
## Affected Systems
- Products: `@solana/web3.js` npm library
- Versions: `1.95.6` and `1.95.7`
- Configurations: Applications (especially dApps and bots) using these specific versions that handle private keys directly in memory or configuration. Non-custodial wallets are noted as being less affected as they typically don't expose keys during transactions.
## Vulnerability Description
A software supply chain attack occurred where threat actors gained unauthorized publish access to the `@solana/web3.js` npm package maintainer accounts (likely via a phishing attack against a publish-access account). Malicious code was injected into versions 1.95.6 and 1.95.7. This injected code created an `addToQueue` function designed to harvest private keys from unsuspecting developers and users.
## Exploitation
- Status: **Backdoor published; assumed active threat if systems not patched.** The C2 server (`sol-rpc[.]xyz`) was registered and is currently down, suggesting the active phase might have been disrupted or terminated upon discovery.
- Complexity: Medium (Requires integration using the compromised library versions, though the attack logic itself seems straightforward once executed).
- Attack Vector: Network/Supply Chain
## Impact
- Confidentiality: **High** (Private keys are stolen, leading to full account compromise).
- Integrity: **High** (Attacker can perform unauthorized transactions).
- Availability: **Low** (Direct impact on application availability is not the primary goal, though compromised funds impact system trust).
## Remediation
### Patches
- **Upgrade to version 1.95.8 or later.** (Version 1.95.8 was released to revoke the malicious access and remove the rogue versions).
- Remove or downgrade affected packages (`1.95.6`, `1.95.7`).
### Workarounds
- Immediately review all dependencies and ensure no usage of versions `1.95.6` or `1.95.7`.
- If direct key handling cannot be avoided immediately, audit application code paths that legitimately access private keys and ensure that no unexpected calls to functions similar to `addToQueue` are occurring.
- Rotate any secrets or keys that were known to be handled by applications using the vulnerable versions, though this may be difficult post-compromise.
## Detection
- Indicators of Compromise (IOCs): Network egress traffic originating from the application server attempting to communicate with the C2 domain `sol-rpc[.]xyz`.
- Detection Methods and Tools: Monitor application logs and network traffic for outbound connections to suspicious or unknown domains, especially those associated with data exfiltration via HTTP headers (as suggested by the CloudFlare header exfiltration method). Security monitoring tools should analyze package manager lock files for the presence of compromised versions.
## References
- Vendor Advisory (Maintainer Release Notes): hxxps://github.com/solana-labs/solana-web3.js/releases/tag/v1.95.8
- Security Report (Socket.dev): hxxps://socket.dev/blog/supply-chain-attack-solana-web3-js-library