@solana/web3.js
@solana/web3.js NPM package compromised stealing private keys
Attackers compromised an NPM publish-access account, reportedly via spear-phishing a maintainer. They published malicious versions (1.95.6, 1.95.7) of the widely used `@solana/web3.js` package to NPM. The injected code captured private keys handled by dependent applications (especially bots or backend systems) and exfiltrated them to an attacker's server (`sol-rpc.xyz`), enabling cryptocurrency theft estimated around $160k USD.
- Date
- 2024-12-02 to 2024-12-03
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Financial Exploitation
- Cause
- Compromised Account/Credentials
What Was Affected
Package
@solana/web3.js
LanguageJavascript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.org
Compromised Versions
Incident Context
- Motive
- Financial Gain
- Attribution
- Cybercriminal Gang
- User Impact
- 400000
- Observed Duration
- 1 days
Evidence
Compromised Artifacts
- registry.npmjs.org/@solana/web3.js/-/web3.js-1.95.6.tgz
- registry.npmjs.org/@solana/web3.js/-/web3.js-1.95.7.tgz
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:cd9e0af30eee5b6935335e7969f9866d595b0c5301e15a2be54c9373f067f9d3
External References
Source Data
Source record: oss/solana_web3.js/meta.yaml