Backdoor in Compromised Solana Code Library Drains $184,000 from Digital Wallets (bleepingcomputer.com)
(Thursday December 05, 2024 @05:25PM (EditorDavid)
from the out-the-backdoor dept.)
- Reference: 0175600261
- News link: https://news.slashdot.org/story/24/12/05/1848223/backdoor-in-compromised-solana-code-library-drains-184000-from-digital-wallets
- Source link: https://www.bleepingcomputer.com/news/security/solana-web3js-library-backdoored-to-steal-secret-private-keys/
The Solana JavaScript SDK "was temporarily compromised yesterday in a supply chain attack," [1]reports BleepingComputer , "with the library backdoored with malicious code to steal cryptocurrency private keys and drain wallets."
> Solana offers an SDK called " [2]@solana/web3.js " used by decentralized applications (dApps) to connect and interact with the Solana blockchain. Supply chain security firm Socket reports that Solana's Web3.js library was hijacked to push out two malicious versions to steal private and secret cryptography keys to secure wallets and sign transactions... Solana [3]confirmed the breach , stating that one of their publish-access accounts was compromised, allowing the attackers to publish two malicious versions of the library... Solana is warning developers who suspect they were compromised to immediately upgrade to the latest v1.95.8 release and to rotate any keys, including multisigs, program authorities, and server keypairs...
>
> Once the threat actors gain access to these keys, they can load them into their own wallets and remotely drain all stored cryptocurrency and NFTs... Socket says the attack has been traced to the [4]FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx Solana address, which currently contains 674.86 Solana and varying amounts of the Irish Pepe , Star Atlas, Jupiter, USD Coin, Santa Hat, Pepe on Fire, Bonk, catwifhat, and Genopets Ki tokens. Solscan shows that the estimated value of the stolen cryptocurrency is $184,000 at the time of this writing.
>
> For anyone whose wallets were compromised in this supply chain attack, you should immediately transfer any remaining funds to a new wallet and discontinue the use of the old one as the private keys are now compromised.
[5] Ars Technica adds that "In social media posts, [6]one person claimed to have lost $20,000 in the hack."
The compromised library "receives more than ~350,000 weekly downloads on npm," [7]Socket posted . (Although [8]Solana's statement says the compromised versions "were caught within hours and have since been unpublished."
[1] https://www.bleepingcomputer.com/news/security/solana-web3js-library-backdoored-to-steal-secret-private-keys/
[2] http://github.com/solana-labs/solana-web3.js
[3] https://github.com/solana-labs/solana-web3.js/releases
[4] https://solscan.io/account/FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx
[5] https://arstechnica.com/information-technology/2024/12/backdoor-slips-into-popular-code-library-drains-155k-from-digital-wallets/
[6] https://x.com/0xdrnoid/status/1864061435644416136
[7] https://socket.dev/blog/supply-chain-attack-solana-web3-js-library
[8] https://github.com/solana-labs/solana-web3.js/releases
> Solana offers an SDK called " [2]@solana/web3.js " used by decentralized applications (dApps) to connect and interact with the Solana blockchain. Supply chain security firm Socket reports that Solana's Web3.js library was hijacked to push out two malicious versions to steal private and secret cryptography keys to secure wallets and sign transactions... Solana [3]confirmed the breach , stating that one of their publish-access accounts was compromised, allowing the attackers to publish two malicious versions of the library... Solana is warning developers who suspect they were compromised to immediately upgrade to the latest v1.95.8 release and to rotate any keys, including multisigs, program authorities, and server keypairs...
>
> Once the threat actors gain access to these keys, they can load them into their own wallets and remotely drain all stored cryptocurrency and NFTs... Socket says the attack has been traced to the [4]FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx Solana address, which currently contains 674.86 Solana and varying amounts of the Irish Pepe , Star Atlas, Jupiter, USD Coin, Santa Hat, Pepe on Fire, Bonk, catwifhat, and Genopets Ki tokens. Solscan shows that the estimated value of the stolen cryptocurrency is $184,000 at the time of this writing.
>
> For anyone whose wallets were compromised in this supply chain attack, you should immediately transfer any remaining funds to a new wallet and discontinue the use of the old one as the private keys are now compromised.
[5] Ars Technica adds that "In social media posts, [6]one person claimed to have lost $20,000 in the hack."
The compromised library "receives more than ~350,000 weekly downloads on npm," [7]Socket posted . (Although [8]Solana's statement says the compromised versions "were caught within hours and have since been unpublished."
[1] https://www.bleepingcomputer.com/news/security/solana-web3js-library-backdoored-to-steal-secret-private-keys/
[2] http://github.com/solana-labs/solana-web3.js
[3] https://github.com/solana-labs/solana-web3.js/releases
[4] https://solscan.io/account/FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx
[5] https://arstechnica.com/information-technology/2024/12/backdoor-slips-into-popular-code-library-drains-155k-from-digital-wallets/
[6] https://x.com/0xdrnoid/status/1864061435644416136
[7] https://socket.dev/blog/supply-chain-attack-solana-web3-js-library
[8] https://github.com/solana-labs/solana-web3.js/releases
So? (Score:3)
by nocoiner ( 7891194 )
CODE IS LAW!!! (Right?)
BTC evangelists unaware of being victimized (Score:2)
by Ed Tice ( 3732157 )
I wonder how many BTC evangelists are out there right now talking about all the money they made in crypto-currency and don't even realize that their wallets have been drained long ago.
Re: (Score:2)
by toxonix ( 1793960 )
Exactly. Never heard of Solano, Solana, whatever, or their stupid JS library.
Re: (Score:2)
by snowshovelboy ( 242280 )
Got em!
Re: (Score:2)
by bjoast ( 1310293 )
Exactly. It was transferred.
Scammers gotta scam (Score:1)
Enough of your Bitcoin/Crypto stories.
A global money laundering cult.
Re: (Score:2)
> Enough of your Bitcoin/Crypto stories.
There are crypto shilling stories and then there are ones like this which remind us why crypto is fundamentally broken for both currency use and value storage. Yes, if you are a highly financed criminal with the knowledge to work around the privacy problems, crypto has a number of benefits. For normal people it's a pyramid scheme.
Re: (Score:2)
Because a javascript library was compromised on github? So anything where this attack occurs proves it is "fundamentally broken"?
Re: (Score:2)
If anyone gets a look at your private key, your crypto is irrevokably gone.
If this happened to my internet banking app, my money gets returned.
Re: (Score:2)
> Enough of your Bitcoin/Crypto stories.
But thanks to AI song generation, now anyone can make an ode to all those stolen coins, so I did: [1]Your Coins Are Gone (And They Ain’t Comin’ Back) [youtu.be].
[1] https://youtu.be/yEXl2cr9BKU