- Apr 4, 2021
- 424
Yesterday, it was discovered that malicious code had been inserted into the @ Solana/web3.js library, which receives 400-500 thousand downloads per week on the NPM repository. The malicious changes were included in the 1.95.6 and 1.95.7 releases of web3.js and consisted of integrating code to send private keys to an external server. The integrity of the project has been restored with the 1.95.8 release. The root cause of the incident has not yet been fully determined, but preliminary data suggests that the malicious releases were published by compromising a maintainer's account using social engineering and phishing techniques.
The web3.js library is positioned as the official JavaScript SDK for working with the Solana cryptocurrency from applications running in browsers or using platforms like Node.js and React Native. The project is maintained by Solana Labs, the organization responsible for developing the mobile application and the reference implementation of the Solana blockchain. Solana cryptocurrency ranks fifth in market capitalization, behind only Bitcoin, Ethereum, XRP, and USDT.
The attack poses a threat of funds being stolen by attackers from applications that rely on the compromised version of web3.js. It is noted, however, that theft is only possible for decentralized applications (dapps) and bots that work directly with private keys. The issue does not affect client wallets that do not use private keys directly in transactions.
Currently, the web3.js library is listed as a direct dependency in 3,262 projects in the NPM catalog and is also used in web applications operating through browsers. Developers of dapps that use web3.js need to ensure that their dependencies do not include versions 1.95.6 and 1.95.7, which were distributed through NPM on Tuesday, December 3.
An analysis of the changes in the compromised version 1.95.7 revealed that the malicious code was embedded in the form of an "addToQueue" function, which sends private keys to the server "sol-rpc.xyz". The "addToQueue" function was inserted at various points in the code where key manipulation occurred. The keys are sent by encoding them with the Base58 method and distributing the content across HTTP headers "x-session-id," "x-amz-cf-id," and "x-amz-cf-pop," used in Cloudflare. The "sol-rpc.xyz" domain was registered on November 22 and hosted via Cloudflare.
I became curious about how antivirus solutions responded to this incident. In my opinion, one of the key tasks of any security product is to monitor such incidents and promptly block access to servers responsible for such leaks and breaches to minimize harm to users, administrators, and developers who might not learn about the breach as quickly as professionals ideally should.
So, as of last evening (December 4), the site was blocked only by Fortinet, Kaspersky, and Netcraft.
This morning (December 5), BitDefender, G Data, Sophos, Google, CyRadar, and CRDF joined in.
As of now (around noon in Europe on December 5), Eset and Lionic have also responded. Symantec has detections, but I cannot confirm when they were added since they are not on VirusTotal (VT).
On MetaDefender Cloud Community | Results, there are currently no detections at all.
I find this result extremely disappointing. The news was widely circulated on December 4 during the day, but nearly 24 hours later, we have only 10 detections on VT. There is still no response from Avira, McAfee, CheckPoint (Harmony) or other major labs (vendors).
The web3.js library is positioned as the official JavaScript SDK for working with the Solana cryptocurrency from applications running in browsers or using platforms like Node.js and React Native. The project is maintained by Solana Labs, the organization responsible for developing the mobile application and the reference implementation of the Solana blockchain. Solana cryptocurrency ranks fifth in market capitalization, behind only Bitcoin, Ethereum, XRP, and USDT.
The attack poses a threat of funds being stolen by attackers from applications that rely on the compromised version of web3.js. It is noted, however, that theft is only possible for decentralized applications (dapps) and bots that work directly with private keys. The issue does not affect client wallets that do not use private keys directly in transactions.
Currently, the web3.js library is listed as a direct dependency in 3,262 projects in the NPM catalog and is also used in web applications operating through browsers. Developers of dapps that use web3.js need to ensure that their dependencies do not include versions 1.95.6 and 1.95.7, which were distributed through NPM on Tuesday, December 3.
An analysis of the changes in the compromised version 1.95.7 revealed that the malicious code was embedded in the form of an "addToQueue" function, which sends private keys to the server "sol-rpc.xyz". The "addToQueue" function was inserted at various points in the code where key manipulation occurred. The keys are sent by encoding them with the Base58 method and distributing the content across HTTP headers "x-session-id," "x-amz-cf-id," and "x-amz-cf-pop," used in Cloudflare. The "sol-rpc.xyz" domain was registered on November 22 and hosted via Cloudflare.
I became curious about how antivirus solutions responded to this incident. In my opinion, one of the key tasks of any security product is to monitor such incidents and promptly block access to servers responsible for such leaks and breaches to minimize harm to users, administrators, and developers who might not learn about the breach as quickly as professionals ideally should.
So, as of last evening (December 4), the site was blocked only by Fortinet, Kaspersky, and Netcraft.
This morning (December 5), BitDefender, G Data, Sophos, Google, CyRadar, and CRDF joined in.
As of now (around noon in Europe on December 5), Eset and Lionic have also responded. Symantec has detections, but I cannot confirm when they were added since they are not on VirusTotal (VT).
On MetaDefender Cloud Community | Results, there are currently no detections at all.
I find this result extremely disappointing. The news was widely circulated on December 4 during the day, but nearly 24 hours later, we have only 10 detections on VT. There is still no response from Avira, McAfee, CheckPoint (Harmony) or other major labs (vendors).
Last edited: