On December 3, 2024, a critical supply chain attack was uncovered targeting versions 1.95.6 and 1.95.7 of the widely-used @solana/web3.js JavaScript library. The attack involved a malicious backdoor injected via a compromised npm publish account. Once deployed, the backdoor captured and exfiltrated private keys to a hardcoded Solana wallet address, ultimately leading to the theft of over $190,000 in cryptocurrency. The attack was particularly dangerous due to the library's role in backend systems and bots that often manage wallet operations directly.
The malicious code was heavily obfuscated and strategically injected into areas that interact with secret or private keys. It disguised exfiltration behavior behind seemingly legitimate HTTP headers (e.g., CloudFront) and sent data to a domain controlled by the attacker (sol-rpc[.]xyz). The attack window was limited to a five-hour period on December 2, but the popularity of the package (up to 450,000 weekly downloads) made the impact widespread. Mitigation efforts included revoking the compromised versions from npm, taking down the C2 server, and releasing a patched version (1.95.8).