A supply chain attack on the widely used @solana/web3.js npm library, targeting private keys to steal funds, has put developers and cryptocurrency users at risk. The malicious versions, 1.95.6 and 1.95.7, were published briefly on December 2 2024, but have since been removed.
The attack exploited the library’s maintainers, likely through phishing, allowing attackers to inject malicious code. Security researchers revealed that the code exfiltrated private keys to an attacker-controlled server, sol-rpc[.]xyz, registered days before the breach.
Christophe Tafani-Dereeper, a cloud security researcher, identified the “addToQueue” backdoor function, which hijacked key-sensitive processes within the package.
The malicious activity affected projects that directly handled private keys and updated their dependencies within the five-hour attack window. These include decentralized applications (dApps) or automated bots that rely on private keys to operate.
Non-custodial wallets, which do not expose private keys during transactions, were not impacted. The stolen assets, primarily in SOL tokens, are estimated to total between $130,000 and $160,000. Major wallets like Phantom and Coinbase confirmed they were unaffected as they did not integrate the compromised versions.
Read more on threats targeting cryptocurrency assets: US Takes Down Illegal Cryptocurrency Mixing Service Samourai Wallet
Preventive Steps for Developers
Solana Labs and other experts recommended these actions for developers:
-
Audit dependencies to identify usage of @solana/web3.js versions 1.95.6 or 1.95.7
-
Update to version 1.95.8 immediately
-
Rotate keys, including multi-sigs and program authorities, if compromise is suspected
The incident highlights ongoing vulnerabilities in open-source software supply chains. This attack follows other npm package breaches, such as crypto-keccak and solana-systemprogram-utils, which similarly targeted cryptocurrency wallets.
“We’ve seen a lot of different attacks on crypto this year; the ease of stealing wallets combined with the value inside the wallets is a tempting target,” said Katie Paxton-Fear, API researcher at Traceable AI.
“Combined with the rise in supply chain attacks, it perhaps was not surprising to see a threat actor combine the two with a supply chain attack targeting the wallets of Web 3.0 developers.”
The Broader Impact
Although major wallets like Phantom and Coinbase were unaffected, many developers who integrated the library into smaller dApps and tools were exposed. Security firm Socket called for increased vigilance when managing dependencies in high-risk environments.
This attack underscores the need for robust supply chain security, especially as cryptocurrency ecosystems continue to grow.
“To combat this growing threat, security programs must evolve beyond traditional CVE-based vulnerability management,” warned Spektion CEO, Joe Silva.
“A proactive approach that emphasizes understanding the risks posed by software components and their runtime behaviors will be critical for effectively managing third-party software risk and securing the software supply chain.”