Supply Chain Attack Hits Solana Library, Stealing Private Keys
Experts at Socket have reported a significant supply chain attack targeting the popular library @solana/web3.js, available via npm. Malicious versions 1.95.6 and 1.95.7, containing code designed to steal private keys, were used to drain cryptocurrency wallets belonging to developers and users.
@solana/web3.js is an npm library that facilitates interaction with the Solana platform’s JavaScript SDK, commonly employed in building Node.js applications and websites. Although the compromised versions have been removed from the npm registry, the library’s widespread adoption—exceeding 350,000 downloads per week—has raised serious concerns.
Version 1.95.7 included a malicious function called addToQueue, which transmitted private keys to a command-and-control server (sol-rpc[.]xyz) via fake CloudFlare headers. This server is currently offline.
Experts suggest that the attackers likely gained control of the library’s developer accounts through a phishing campaign. By compromising an account with publishing privileges, they were able to upload the altered versions, which were specifically designed to exfiltrate private keys and siphon funds from applications interacting directly with them.
The attack affected projects updated between 15:20 and 20:25 UTC on December 2, 2024. Non-custodial wallets, which do not expose private keys during transactions, were not impacted. Users are urgently advised to upgrade the library to version 1.95.8 and replace any compromised keys as a precaution.
Anza, the company responsible for the library’s publication account, confirmed the compromise, enabling attackers to steal funds estimated between $130,000 and $160,000. However, most major wallets and applications—including Phantom, Coinbase, and Exodus—remained unaffected as they did not use the compromised versions.
Developers are strongly urged to replace program, server, and multisig keys if any suspicion of compromise exists. This incident exclusively affects the JavaScript library handling private keys and does not impact the Solana protocol itself.
