The JavaScript-based software development kit (SDK) that allows developers to interact with the Solana Blockchain has suffered a supply chain attack aimed at crypto theft.Solana Web3.js library, which provides APIs for sending transactions, managing accounts, querying blockchain data, and interacting with smart contracts, was backdoored to retrieve private keys.The attack was first reported by Anza, a Solana-focused research and development firm, as a compromise of a publish-access account which refers to an account with publish and transaction access.”Earlier today, a publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dapps,” Anza said in a tweet on Wednesday. “This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly.” According to a report by supply chain security firm Socket, the said library was hijacked to distribute two malicious versions: 1.95.6 and 1.95.7, aimed at extracting sensitive cryptographic keys used to protect wallets and authorize transactions.Altered versions of the popular library, which receives more than 350,000 weekly downloads on node package manager (npm), were swiftly removed from npm.In a post on the decentralized social media platform BlueSky, a cloud security researcher at Datadog, Christophe Tafani Dereeper, said, “The backdoor inserted in v1.95.7 adds an ‘addToQueue’ function which exfiltrates the private key through seemingly-legitimate CloudFlare headers.”Calls to this function are then inserted in various places that (legitimately) access the private key, Dereeper added sharing a code snippet of the alterations and a link to the malicious versions dataset.The injected code captures the private keys and transmits them to a hardcoded address. The associated domain is hosted behind CloudFlare, although the C2 is currently down.
Recommended actions include rollback or upgrade
Socket reported the attack to potentially impact developers (as they risk exposing their private keys), and users (as they are prone to running applications relying on the compromised library and have their wallets drained).Immediate actions recommended for developers include checking their dependencies for usage of versions 1.95.6 or 1.95.7. If yes, they are advised to downgrade to a safe version prior to 1.95.6 or update to version 1.95.8, a version released with removed injections.Regenerating compromised keys and revoking permissions as needed is also recommended as a mitigation.Helius Labs, a Solana development platform, revealed the attack is likely a result of a social engineering/ phishing attack. “The attack was likely done through a phishing attack on the credentials for publishing npm packages, in this case the web3 js library,” said CEO Mert Mumtaz in a tweet, estimating the damage from the attack to be roughly $130k.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3617893/solana-sdk-backdoored-for-stealing-secrets-private-keys.html
