A significant supply chain attack has impacted the Solana ecosystem, targeting the @solana/web3.js JavaScript library, a critical tool that developers rely on to create decentralized applications (dApps) on the Solana blockchain.
On December 2, hackers gained access to the account of a developer maintaining the @solana/web3.js library. It’s a tool that’s been downloaded more than 350,000 times weekly by Solana app developers.
Hackers compromised versions 1.95.6 and 1.95.7, embedding malicious code that exfiltrated private keys and drained funds. The breach led to $160,000 in stolen assets, including SOL tokens and other crypto assets, according to Solscan data.
Solana-focused development team Anza disclosed the breach on Tuesday saying it occurred when a publish-access account for the library on npm was compromised.
Earlier today, a publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and…
— Anza (@anza_xyz) December 3, 2024
The attackers introduced unauthorized updates containing a backdoor that transmitted private key data to a hardcoded address. These malicious versions were downloaded before they were removed from npm hours later.
The attack affected developers who updated the library between 3:20 PM UTC and 8:25 PM UTC on December 2, particularly those using backend systems or bots reliant on private keys.
Using this access, the attackers uploaded altered versions of the library (1.95.6 and 1.95.7) containing code that secretly sent private keys to a hacker-controlled address. These keys allowed the hackers to steal funds from applications that used the compromised library.
This type of incident is called a supply chain attack, where hackers tamper with software that developers depend on, spreading the malicious code widely.
Projects or systems that downloaded and integrated these versions of the library unknowingly became vulnerable to the exploit.
Phantom is not impacted by this vulnerability.
Our Security Team confirms that we have never used the exploited versions of @solana/web3.js
— Phantom (@phantom) December 3, 2024
In a public statement, Phantom, one of the most widely-used Solana wallets, confirmed it never used the compromised versions of the library, ensuring its users were not impacted.
Similarly, Solflare and other key projects like Drift and Backpack reassured their communities that robust security measures prevented any compromise.
Developers relying on private key operations within the affected versions were the primary victims, but end-users were largely spared.
Prominent voices in the Solana community clarified the attack did not compromise the Solana blockchain itself.
In the wake of the breach, developers have been urged to immediately update to version 1.95.8 of the library, audit their projects for dependencies on the compromised versions, and rotate and regenerate private keys to mitigate further losses.
npm has since removed the affected versions, and tools like Socket have been recommended for developers to detect vulnerabilities in their repositories.
This breach is part of a worrying trend of supply chain attacks, where hackers target widely-used software tools to attack a larger group of people.
Hakan Unal, Senior Blockchain Scientist at Cyverse, told Decrypt that “the recent Solana library supply chain attack highlights a critical issue in modern software development: the security of third-party dependencies.”
“These dependencies—open-source libraries or components integrated into a larger project—are widely used to accelerate development,” Unal added. “However, if not managed carefully, they can become vectors for malicious actors, and especially in crypt, where capital gain is high, rigid standards are needed.”
A similar attack recently affected the Lottie Player JavaScript library, widely used for web animations. Hackers embedded malicious code into its npm package, causing crypto losses exceeding $723,000.
In that case, users visiting compromised websites unknowingly signed fake wallet connection prompts controlled by attackers, granting access to their funds.
Edited by Stacy Elliott.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.