Full Report
On December 3, 2024, a critical supply chain attack was uncovered targeting versions 1.95.6 and 1.95.7 of the widely-used @solana/web3.js JavaScript library. The attack involved a malicious backdoor injected via a compromised npm publish account. Once deployed, the backdoor ca...
Analysis Summary
# Incident Report: Solana Web3.js Supply Chain Compromise
## Executive Summary
A critical supply chain attack was discovered on December 3, 2024, targeting the popular `@solana/web3.js` JavaScript library (versions 1.95.6 and 1.95.7). Attackers compromised an npm publish account to inject a malicious backdoor, which exfiltrated private keys and resulted in the theft of over $190,000 in cryptocurrency. Rapid mitigation involved revoking the compromised versions and releasing an immediate patch.
## Incident Details
- **Discovery Date:** December 3, 2024
- **Incident Date:** Attack window opened on December 2, 2024 (five-hour period)
- **Affected Organization:** Developers/Users of `@solana/web3.js` library
- **Sector:** Technology / Blockchain Infrastructure
- **Geography:** Global (due to NPM distribution)
## Timeline of Events
### Initial Access
- **Date/Time:** On or around December 2, 2024 (five-hour window)
- **Vector:** Compromised NPM publish account linked to the `@solana/web3.js` library.
- **Details:** A malicious backdoor was injected into official library versions 1.95.6 and 1.95.7 during the publish process.
### Lateral Movement
- *Not explicitly detailed as lateral movement within an internal network; the compromise focused on the software repository.*
- **Details:** Access was gained and leveraged within the npm publication lifecycle environment.
### Data Exfiltration/Impact
- **Date/Time:** During the five-hour active window on December 2, 2024.
- **Details:** The backdoor captured private keys interacting with the library and exfiltrated them to an attacker-controlled domain (`sol-rpc[.]xyz`). Over $190,000 in cryptocurrency was stolen.
### Detection & Response
- **Date/Time:** Detected on December 3, 2024.
- **Details:** Security researchers or platform monitoring identified the malicious code. Response actions included revoking the compromised versions from npm and releasing a patched version (1.95.8).
## Attack Methodology
- **Initial Access:** Supply Chain Compromise (Compromised npm publish account).
- **Persistence:** Malicious code resident within the published package versions (1.95.6/1.95.7).
- **Privilege Escalation:** *Not applicable in this context; direct compromise of the publishing mechanism.*
- **Defense Evasion:** The malicious code was heavily obfuscated and disguised exfiltration attempts behind legitimate HTTP headers (e.g., CloudFront).
- **Credential Access:** Directly targeted and captured private keys initialized through the library.
- **Discovery:** *Not explicitly detailed in terms of pre-attack recon, but injection was targeted at key handling areas.*
- **Lateral Movement:** N/A (Focused on software artifact manipulation).
- **Collection:** Targeting private keys interacting with the library functions.
- **Exfiltration:** Data sent to the attacker-controlled endpoint: `sol-rpc[.]xyz`.
- **Impact:** Financial theft of cryptocurrency.
## Impact Assessment
- **Financial:** Theft of over $190,000 in cryptocurrency.
- **Data Breach:** Sensitive credentials (private keys) were compromised and exfiltrated.
- **Operational:** Disruption for all users of versions 1.95.6 and 1.95.7, necessitating immediate dependency updates. High risk due to library usage in backend systems and bots.
- **Reputational:** Negative impact on trust in the npm ecosystem and dependency management practices.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- C2 Domain: `sol-rpc[.]xyz`
- **File Indicators:**
- Compromised package versions: `@solana/web3.js` <= 1.95.7
- **Behavioral Indicators:**
- Code exhibiting heavy obfuscation communicating sensitive data over seemingly legitimate HTTP headers (e.g., CloudFront header mimicry).
## Response Actions
- **Containment:** Revocation of the compromised package versions (1.95.6 and 1.95.7) from the npm registry.
- **Eradication:** Takedown of the attacker C2 server (`sol-rpc[.]xyz`).
- **Recovery:** Release of a patched, clean version (1.95.8) for immediate adoption.
## Lessons Learned
- **Dependency Integrity is Paramount:** Compromise of a single publishing account can lead to widespread, high-impact supply chain attacks.
- **Obfuscation as a Red Flag:** Heavily obfuscated malicious code indicates a deliberate attempt to bypass static analysis review.
- **Broad Impact of Core Libraries:** Libraries with extremely high download counts (up to 450,000 weekly) amplify the potential blast radius instantly.
## Recommendations
- **Strengthen Account Security:** Implement mandatory Multi-Factor Authentication (MFA) and granular access controls for all critical developer/publisher accounts on package registries (e.g., npm).
- **Dependency Scanning:** Utilize automated tools to monitor dependencies for suspicious code changes, especially obfuscation or unexpected network activity (like hardcoded exfiltration targets).
- **Pin Dependencies:** Encourage users to strictly pin known-good, older versions until new versions can be vetted, preventing automatic ingestion of potentially poisoned updates.
- **Isolate Publishing Access:** Ensure the credentials used to publish packages are not used for any other purpose and are heavily protected.