Serious Discussion AV-labs' Response Time to Major Web Incidents

CyberDevil

Level 9
Thread author
Verified
Well-known
Apr 4, 2021
424
Yesterday, it was discovered that malicious code had been inserted into the @ Solana/web3.js library, which receives 400-500 thousand downloads per week on the NPM repository. The malicious changes were included in the 1.95.6 and 1.95.7 releases of web3.js and consisted of integrating code to send private keys to an external server. The integrity of the project has been restored with the 1.95.8 release. The root cause of the incident has not yet been fully determined, but preliminary data suggests that the malicious releases were published by compromising a maintainer's account using social engineering and phishing techniques.

The web3.js library is positioned as the official JavaScript SDK for working with the Solana cryptocurrency from applications running in browsers or using platforms like Node.js and React Native. The project is maintained by Solana Labs, the organization responsible for developing the mobile application and the reference implementation of the Solana blockchain. Solana cryptocurrency ranks fifth in market capitalization, behind only Bitcoin, Ethereum, XRP, and USDT.

The attack poses a threat of funds being stolen by attackers from applications that rely on the compromised version of web3.js. It is noted, however, that theft is only possible for decentralized applications (dapps) and bots that work directly with private keys. The issue does not affect client wallets that do not use private keys directly in transactions.

Currently, the web3.js library is listed as a direct dependency in 3,262 projects in the NPM catalog and is also used in web applications operating through browsers. Developers of dapps that use web3.js need to ensure that their dependencies do not include versions 1.95.6 and 1.95.7, which were distributed through NPM on Tuesday, December 3.

An analysis of the changes in the compromised version 1.95.7 revealed that the malicious code was embedded in the form of an "addToQueue" function, which sends private keys to the server "sol-rpc.xyz". The "addToQueue" function was inserted at various points in the code where key manipulation occurred. The keys are sent by encoding them with the Base58 method and distributing the content across HTTP headers "x-session-id," "x-amz-cf-id," and "x-amz-cf-pop," used in Cloudflare. The "sol-rpc.xyz" domain was registered on November 22 and hosted via Cloudflare.



I became curious about how antivirus solutions responded to this incident. In my opinion, one of the key tasks of any security product is to monitor such incidents and promptly block access to servers responsible for such leaks and breaches to minimize harm to users, administrators, and developers who might not learn about the breach as quickly as professionals ideally should.

So, as of last evening (December 4), the site was blocked only by Fortinet, Kaspersky, and Netcraft.

1733388150831.png
1733388182000.png


This morning (December 5), BitDefender, G Data, Sophos, Google, CyRadar, and CRDF joined in.

1733388237451.png


As of now (around noon in Europe on December 5), Eset and Lionic have also responded. Symantec has detections, but I cannot confirm when they were added since they are not on VirusTotal (VT).
On MetaDefender Cloud Community | Results, there are currently no detections at all.

1733388270947.png

1733388298926.png
1733388320578.png





I find this result extremely disappointing. The news was widely circulated on December 4 during the day, but nearly 24 hours later, we have only 10 detections on VT. There is still no response from Avira, McAfee, CheckPoint (Harmony) or other major labs (vendors).
 
Last edited:

Bot

AI-powered Bot
Apr 21, 2016
4,533
It's indeed concerning that more AV labs haven't responded promptly to this major security incident. It underscores the importance of proactive threat detection and rapid response times in the cybersecurity landscape. Let's hope the affected labs take note and improve their response times to such incidents in the future.
 

Vitali Ortzi

Level 27
Verified
Top Poster
Well-known
Dec 12, 2016
1,641
Yesterday, it was discovered that malicious code had been inserted into the @ Solana/web3.js library, which receives 400-500 thousand downloads per week on the NPM repository. The malicious changes were included in the 1.95.6 and 1.95.7 releases of web3.js and consisted of integrating code to send private keys to an external server. The integrity of the project has been restored with the 1.95.8 release. The root cause of the incident has not yet been fully determined, but preliminary data suggests that the malicious releases were published by compromising a maintainer's account using social engineering and phishing techniques.

The web3.js library is positioned as the official JavaScript SDK for working with the Solana cryptocurrency from applications running in browsers or using platforms like Node.js and React Native. The project is maintained by Solana Labs, the organization responsible for developing the mobile application and the reference implementation of the Solana blockchain. Solana cryptocurrency ranks fifth in market capitalization, behind only Bitcoin, Ethereum, XRP, and USDT.

The attack poses a threat of funds being stolen by attackers from applications that rely on the compromised version of web3.js. It is noted, however, that theft is only possible for decentralized applications (dapps) and bots that work directly with private keys. The issue does not affect client wallets that do not use private keys directly in transactions.

Currently, the web3.js library is listed as a direct dependency in 3,262 projects in the NPM catalog and is also used in web applications operating through browsers. Developers of dapps that use web3.js need to ensure that their dependencies do not include versions 1.95.6 and 1.95.7, which were distributed through NPM on Tuesday, December 3.

An analysis of the changes in the compromised version 1.95.7 revealed that the malicious code was embedded in the form of an "addToQueue" function, which sends private keys to the server "sol-rpc.xyz". The "addToQueue" function was inserted at various points in the code where key manipulation occurred. The keys are sent by encoding them with the Base58 method and distributing the content across HTTP headers "x-session-id," "x-amz-cf-id," and "x-amz-cf-pop," used in Cloudflare. The "sol-rpc.xyz" domain was registered on November 22 and hosted via Cloudflare.



I became curious about how antivirus solutions responded to this incident. In my opinion, one of the key tasks of any security product is to monitor such incidents and promptly block access to servers responsible for such leaks and breaches to minimize harm to users, administrators, and developers who might not learn about the breach as quickly as professionals ideally should.

So, as of last evening (December 4), the site was blocked only by Fortinet, Kaspersky, and Netcraft.

View attachment 286519View attachment 286520

This morning (December 5), BitDefender, G Data, Sophos, Google, CyRadar, and CRDF joined in.

View attachment 286521

As of now (around noon in Europe on December 5), Eset and Lionic have also responded. Symantec has detections, but I cannot confirm when they were added since they are not on VirusTotal (VT).
On MetaDefender Cloud Community | Results, there are currently no detections at all.

View attachment 286522
View attachment 286523View attachment 286524





I find this result extremely disappointing. The news was widely circulated on December 4 during the day, but nearly 24 hours later, we have only 10 detections on VT. There is still no response from Gen (Norton, Avira, Avast), McAfee, CheckPoint (Harmony) or other major labs (vendors).
Checkpoint and Symantec do detect it when I put the url into my tablet web browser
 
  • Like
Reactions: oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top