Widely used Solana Web3.js JavaScript library for decentralized apps has been subjected to a supply chain intrusion that resulted in release of two malicious versions that facilitated the exfiltration of dapp private keys and funds, according to SecurityWeek.
Impacted by the attack were versions 1.95.6 and 1.95.7 of the library, which were downloadable through for nearly five hours on Dec. 2 before being removed, noted Solana Web3.js maintainers. "This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions. This is not an issue with the Solana protocol itself, but with a specific JavaScript client library and only appears to affect projects that directly handle private keys," maintainers added. While such an intrusion has not compromised major cryptocurrency wallets, immediate removal of the erring Solana Web3.js versions has been recommended by GitHub. "The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it," said GitHub.
