1(520) 261-1728

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

Solana blockchain’s popular web3.js npm package backdoored to steal keys, funds

#### [Cyber-crime](/security/cyber_crime/)**3** Solana blockchain’s popular web3.js npm package backdoored to steal keys, funds===============================================================================**3** Damage likely limited to those running bots with private key access——————————————————————-[Thomas Claburn](/Author/Thomas-Claburn ‘Read more by this author’) Thu 5 Dec 2024 // 23:13 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Solana%20blockchain%27s%20popular%20web3.js%20npm%20package%20backdoored%20to%20steal%20keys%2c%20funds) [](https://twitter.com/intent/tweet?text=Solana%20blockchain%27s%20popular%20web3.js%20npm%20package%20backdoored%20to%20steal%20keys%2c%20funds&url=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Solana%20blockchain%27s%20popular%20web3.js%20npm%20package%20backdoored%20to%20steal%20keys%2c%20funds&summary=Damage%20likely%20limited%20to%20those%20running%20bots%20with%20private%20key%20access) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Malware-poisoned versions of the widely used JavaScript library @solana/web3.js were distributed via the npm package registry, according to an advisory issued Wednesday by project maintainer Steven Luscher.An [advisory](https://github.com/advisories/GHSA-jcxm-7wvp-g6p5), covering [CVE-2024-54134](https://nvd.nist.gov/vuln/detail/CVE-2024-54134) (CVSS-B: 8.3 High), explains that a hijacked @solana account with permission to publish the library was used to add malicious code.[The library](https://www.npmjs.com/package/@solana/web3.js) typically sees almost half a million weekly downloads. It’s [used in](https://solana.com/docs/clients/javascript#what-is-solana-web3js) decentralized apps, or [dapps](https://www.kraken.com/learn/what-is-a-decentralized-application-dapp), tied to the Solana blockchain, which is not itself affected. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z1LLyfH_7jvQkQTNcsapkQAAANE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)The compromised npm account gave an attacker the opportunity ‘to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly,’ the [advisory](https://github.com/advisories/GHSA-jcxm-7wvp-g6p5) states, before explaining that non-custodial wallets should not be affected. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LLyfH_7jvQkQTNcsapkQAAANE&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z1LLyfH_7jvQkQTNcsapkQAAANE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)Two affected versions (1.95.6 and 1.95.7) of the library have since been unpublished. Solana dapps that fetched the @solana/web3.js library as a direct or transitive dependency while those versions were available — a window from 3:20pm UTC to 8:25pm UTC on Tuesday, December 3, 2024 — may have downloaded the malicious code.Mert Mumtaz, CEO of Helius Labs, which makes Solana tools, estimated that the financial loss to unspecified persons ‘is roughly 130K USD so far.’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z1LLyfH_7jvQkQTNcsapkQAAANE&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)’In general, wallets should not be affected since they don’t expose private keys — the biggest effect would be on people running JavaScript bots on the backend (ie, not user facing) with private keys on those servers if they updated to this version within the timeframe (last few hours until the patch),’ wrote Mumatz in a social media [post](https://x.com/0xMert_/status/1864069157257613719).* [T-Mobile US CSO: Spies jumped from one telco to another in a way ‘I’ve not seen in my career’](https://www.theregister.com/2024/12/05/tmobile_cso_telecom_attack/)* [Perfect 10 directory traversal vuln hits SailPoint’s IAM solution](https://www.theregister.com/2024/12/03/sailpoint_identityiq_vulnerability/)* [Data on 760K workers from Xerox, Nokia, BofA, Morgan Stanley and more dumped online](https://www.theregister.com/2024/12/03/760k_xerox_nokia_bofa_morgan/)* [RansomHub claims to net data hat-trick against Bologna FC](https://www.theregister.com/2024/11/30/bologna_fc_ransomhub/)Solana research and development firm Anza has posted a [root cause analysis](https://www.anza.xyz/blog/web3-js-exploit-root-cause-analysis) of the incident that suggests the attack began with a spear phishing email on Tuesday, December 3, at 1520 UTC, to an @solana npm org member with publish access.The phishing gambit is said to have captured the victim’s username, password, and two-factor authentication details.Anza’s analysis indicates that the attack came to light after ‘a core contributor of @solana/web3.js was alerted of the exploit by an ecosystem team that had installed one of the malicious versions into their application and had deployed it.’ The affected individual is said to have noticed the unauthorized transfer of assets from unspecified digital wallets to another account.In a social media [post](https://bsky.app/profile/christophetd.fr/post/3lcgt6l7s4c2a), Christophe Tafani-Dereeper, a security researcher for Datadog, wrote: ‘The backdoor inserted in v1.95.7 adds an ‘addToQueue’ function which exfiltrates the private key through seemingly-legitimate Cloudflare headers.’Socket.dev, a software security biz, [advises](https://socket.dev/blog/supply-chain-attack-solana-web3-js-library) developers to run its free command-line tool to check for the presence of compromised packages. ® [Sponsored: Where do European SMEs start when it comes to conquering the world?](https://go.theregister.com/tl/3112/shttps://www.theregister.com/2024/11/25/where_do_european_smes_start/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Solana%20blockchain%27s%20popular%20web3.js%20npm%20package%20backdoored%20to%20steal%20keys%2c%20funds) [](https://twitter.com/intent/tweet?text=Solana%20blockchain%27s%20popular%20web3.js%20npm%20package%20backdoored%20to%20steal%20keys%2c%20funds&url=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Solana%20blockchain%27s%20popular%20web3.js%20npm%20package%20backdoored%20to%20steal%20keys%2c%20funds&summary=Damage%20likely%20limited%20to%20those%20running%20bots%20with%20private%20key%20access) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cryptocurrency](/Tag/Cryptocurrency/)* [JavaScript](/Tag/JavaScript/)* [NPM](/Tag/NPM/) More like these × ### More about* [Cryptocurrency](/Tag/Cryptocurrency/)* [JavaScript](/Tag/JavaScript/)* [NPM](/Tag/NPM/)* [Phishing](/Tag/Phishing/)* [Supply Chain](/Tag/Supply%20Chain/) ### Narrower topics* [Bitcoin](/Tag/Bitcoin/)* [Coinbase](/Tag/Coinbase/)* [Crypto.com](/Tag/Crypto.com/)* [Ethereum](/Tag/Ethereum/)* [FTX](/Tag/FTX/)* [PHP](/Tag/PHP/)* [Supply Chain Security Week](/Tag/Supply%20Chain%20Security%20Week/) ### Broader topics* [Programming Language](/Tag/Programming%20Language/)* [Security](/Tag/Security/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Solana%20blockchain%27s%20popular%20web3.js%20npm%20package%20backdoored%20to%20steal%20keys%2c%20funds) [](https://twitter.com/intent/tweet?text=Solana%20blockchain%27s%20popular%20web3.js%20npm%20package%20backdoored%20to%20steal%20keys%2c%20funds&url=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Solana%20blockchain%27s%20popular%20web3.js%20npm%20package%20backdoored%20to%20steal%20keys%2c%20funds&summary=Damage%20likely%20limited%20to%20those%20running%20bots%20with%20private%20key%20access) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/12/05/solana_javascript_sdk_compromised/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **3** COMMENTS #### More about* [Cryptocurrency](/Tag/Cryptocurrency/)* [JavaScript](/Tag/JavaScript/)* [NPM](/Tag/NPM/) More like these × ### More about* [Cryptocurrency](/Tag/Cryptocurrency/)* [JavaScript](/Tag/JavaScript/)* [NPM](/Tag/NPM/)* [Phishing](/Tag/Phishing/)* [Supply Chain](/Tag/Supply%20Chain/) ### Narrower topics* [Bitcoin](/Tag/Bitcoin/)* [Coinbase](/Tag/Coinbase/)* [Crypto.com](/Tag/Crypto.com/)* [Ethereum](/Tag/Ethereum/)* [FTX](/Tag/FTX/)* [PHP](/Tag/PHP/)* [Supply Chain Security Week](/Tag/Supply%20Chain%20Security%20Week/) ### Broader topics* [Programming Language](/Tag/Programming%20Language/)* [Security](/Tag/Security/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Kill Oracle’s ‘JavaScript’ trademark, Deno asks USPTOPetition claims database titan maintained its mark by making a fraudulent claimSoftware10 days -| 56](/2024/11/26/cancel_oracles_javascript_trademark_deno/?td=keepreading) [#### Cryptocurrency policy under Trump: Lots of promises, few concrete plansAnalysis Pro-crypto lawmakers are in, but will that translate to action? Doubt itPublic Sector6 days -| 64](/2024/11/30/cryptocurrency_policy_trump/?td=keepreading) [#### Five Scattered Spider suspects indicted for phishing spree and crypto heistsDoJ also shutters allleged crimeware and credit card mart PopeyeToolsCyber-crime15 days -| 3](/2024/11/21/scattered_spider_suspects/?td=keepreading) [#### Why AI builds best on private cloudsAI projects under pressure to show real value in the tightest of timeframes might be worth keeping on-premisesSponsored Feature](/2024/10/29/why_ai_builds_best_on/?td=keepreading) [#### Interpol nabs thousands, seizes millions in global cybercrime-busting opInfosec in brief Also, script kiddies still a threat, Tornado Cash is back, UK firms lose billions to avoidable attacks, and moreSecurity5 days -| 7](/2024/12/01/interpol_cybercrime_busting/?td=keepreading) [#### Binance accused of tax evasion by India’s finance departmentMinister reveals 17 crypto players owe $100 million — with Binance the baddest of the badPersonal Tech2 days -| 7](/2024/12/04/india_binance_crypto_tax_evasion/?td=keepreading) [#### Supply chain management vendor Blue Yonder succumbs to ransomwareAnd it looks like major UK retailers that rely on it are feeling the pinchCyber-crime10 days -| 9](/2024/11/26/blue_yonder_ransomware/?td=keepreading) [#### Russian spies may have moved in next door to target your networkInfosec in brief Plus: Microsoft seizes phishing domains; Helldown finds new targets; Illegal streaming with Jupyter, and moreSecurity11 days -| 22](/2024/11/25/infosec_news_in_brief/?td=keepreading) [#### Helpline for Yakuza victims fears it leaked their personal infoOrganized crime types tend not to be kind to those who go against them, so this is nastySecurity14 days -| 21](/2024/11/22/helpline_for_yakuza_victims_may/?td=keepreading) [#### Bitfinex burglar bags 5 years behind bars for Bitcoin heistA nervous wait for rapper wife who also faces a stint in the clinkCyber-crime21 days -| 4](/2024/11/15/bitfinix_intruder_sentenced/?td=keepreading) [#### Don’t open that ‘copyright infringement’ email attachment — it’s an infostealerCuriosity gives crims access to wallets and passwordsResearch28 days -| 21](/2024/11/07/fake_copyright_email_malware/?td=keepreading) [#### Cyberattackers stole Microlise staff data following DHL, Serco disruptionExperts say incident has ‘all the hallmarks of ransomware’Cyber-crime30 days -| 5](/2024/11/06/microlise_cyberattack/?td=keepreading)

Related Tags:
Storm-0875

Octo Tempest

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 519 – Web Search Portals

Libraries

Archives

Other Information Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Roasted 0ktapus

Scattered Spider

Associated Indicators:

Search

Popular Posts

Categories

Archives

Tags

Follow Us