Solana Web3.js library backdoored to steal secret, private keys

The legitimate Solana JavaScript SDK was temporarily compromised yesterday in a supply chain attack, with the library backdoored with malicious code to steal cryptocurrency private keys and drain wallets.

Solana offers an SDK called "@solana/web3.js" used by decentralized applications (dApps) to connect and interact with the Solana blockchain.

Supply chain security firm Socket reports that Solana's Web3.js library was hijacked to push out two malicious versions to steal private and secret cryptography keys to secure wallets and sign transactions.

"A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library, which receives more than ~350,000 weekly downloads on npm," explains Socket.

"These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets."

Solana confirmed the breach, stating that one of their publish-access accounts was compromised, allowing the attackers to publish two malicious versions of the library.

Solana is warning developers who suspect they were compromised to immediately upgrade to the latest v1.95.8 release and to rotate any keys, including multisigs, program authorities, and server keypairs.

The Solana Web3.js key stealer

According to DataDog researcher Christophe Tafani-Dereeper, the threat actors added a malicious addToQueue function that stole secret and private keys and sent them to the attacker's server.

"The backdoor inserted in v1.95.7 adds an "addToQueue" function which exfiltrates the private key through seemingly-legitimate CloudFlare headers," explains the researcher.

"Calls to this function are then inserted in various places that (legitimately) access the private key."

BleepingComputer reviewed the compromised library, and calls to the addToQueue function were added to five key locations in the librar—the fromSecretKey(), fromSeed(), createInstructionWithPublicKey(), and createInstructionWithPrivateKey() functions, and the account constructor.

The functions are used throughout the library and have the following functionality:

fromSecretKey(): Create a keypair from a raw secret key byte array. fromSeed(): Generate a keypair from a 32 byte seed. createInstructionWithPrivateKey(): Create an ed25519 instruction with a private key. createInstructionWithPrivateKey(): Create an secp256k1 instruction with a private key.

The malicious code will steal either the passed or generated secret key (first two functions and account constructor) or the passed private key (last two functions) and send it to the attacker's endpoints at https://sol-rpc[.]xyz/api/rpc/queue.

This domain was registered on November 22nd at 19:58:27 UTC and has not been seen used in other attacks.

Once the threat actors gain access to these keys, they can load them into their own wallets and remotely drain all stored cryptocurrency and NFTs.

Socket says the attack has been traced to the FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx Solana address, which currently contains 674.86 Solana and varying amounts of the Irish Pepe , Star Atlas, Jupiter, USD Coin, Santa Hat, Pepe on Fire, Bonk, catwifhat, and Genopets Ki tokens.

Solscan shows that the estimated value of the stolen cryptocurrency is $184,000 at the time of this writing.

For anyone whose wallets were compromised in this supply chain attack, you should immediately transfer any remaining funds to a new wallet and discontinue the use of the old one as the private keys are now compromised.