@solana/web3.js stole private keys

@solana/web3.js is the canonical Solana SDK for JavaScript clients and server-side systems. Many bots, backends, and automation tools use it near signing keys. A poisoned npm release therefore created a direct route to wallet material.

On December 3, 2024, malicious versions 1.95.6 and 1.95.7 were published to npm. The official advisory says a publish-access account was compromised and that the affected releases were available for several hours before removal. The safe upgrade path was 1.95.8.

The added code targeted key-handling flows. Socket and other researchers described an addToQueue exfiltration function and calls from private-key related code paths. The destination domain was sol-rpc.xyz, an attacker-controlled endpoint designed to look plausible in the Solana ecosystem.

The highest-risk systems were those that passed private keys directly through the library: bots, backend services, and custodial tooling. The Register reported theft estimates around $160,000 and noted the package's large weekly download base, but the artifact record keeps confirmed malicious versions separate from broad ecosystem exposure.

Motive

Financial Gain

Cause

Compromised Account Credentials

Transitive

No

User Impact

500000

• CVE-2024-54134nvd.nist.gov
• MITRE CVE-2024-54134cve.mitre.org
• Researchers Uncover Backdoor in Solana's Web3.js npm Librarythehackernews.com
• Critical Security Alert - Solana Web3.js Library Compromisecyfrin.io
• @solana/web3.js v1.95.8 releasegithub.com
• Solana JavaScript SDK backdoored to steal keys and fundstheregister.com
• @solana/web3.js private key leakage advisorygithub.com
• Supply Chain Attack - Solana Web3.js Librarysocket.dev