Solana Web3.js Library Compromised in Supply Chain Attack, $160K Stolen

Malicious Code Targets Solana dApps, Exploits Developer Private Keys

The Solana ecosystem faced a significant supply chain attack after hackers compromised the widely-used @solana/web3.js JavaScript library—a core tool for developing decentralized applications (dApps) on the Solana blockchain.

On December 2, attackers gained unauthorized access to a developer’s publish account on npm, embedding malicious code into versions 1.95.6 and 1.95.7 of the library. The breach resulted in the theft of approximately $160,000 in SOL tokens and other assets, according to Solscan data.

How the Attack Happened

The Solana-focused development team Anza disclosed the breach on Tuesday, confirming the attackers uploaded altered versions of the library, embedding a backdoor to exfiltrate private keys. The malicious updates, downloaded between 3:20 PM UTC and 8:25 PM UTC on December 2, transmitted the stolen key data to a hardcoded address controlled by the hackers.

The attack primarily impacted developers and systems that:

Updated to the compromised library versions.
Relied on backend bots or applications that handled private key operations.

Projects unknowingly integrating these versions became vulnerable to fund drains.

Key Players Respond

Leading Solana wallet providers, including Phantom and Solflare, swiftly reassured users that their systems were unaffected.

“Our Security Team confirms that we have never used the exploited versions of @solana/web3.js,” Phantom stated publicly, ensuring users their funds were safe.

Similarly, projects like Drift and Backpack confirmed that robust security protocols prevented any compromise.

Importantly, the Solana blockchain itself remained unaffected, as the breach targeted third-party dependencies rather than Solana’s core infrastructure.

Immediate Actions for Developers

In response to the attack, developers are urged to:

Update immediately to the patched version 1.95.8 of the @solana/web3.js library.
Audit projects to identify and remove dependencies on the compromised versions.
Rotate and regenerate private keys to secure affected applications.

Tools like Socket have been recommended to help developers detect vulnerabilities within their repositories and prevent future exploits.

Supply Chain Attacks: A Growing Threat

The incident highlights the increasing risk of supply chain attacks, where malicious actors exploit widely-used software to compromise a larger group of victims.

Hakan Unal, Senior Blockchain Scientist at Cyverse, emphasized the importance of securing third-party libraries:

“The recent Solana library supply chain attack highlights a critical issue in modern software development: the security of third-party dependencies. In crypto, where capital gain is high, rigid security standards are essential.”

This breach mirrors a similar incident involving the Lottie Player JavaScript library, where hackers embedded malicious code into its npm package, leading to over $723,000 in stolen funds.

The Bigger Picture

As the Solana ecosystem grows, incidents like this underscore the need for heightened security measures across development tools and open-source libraries. While end-users were largely spared in this attack, developers and teams must remain vigilant to prevent similar exploits in the future.

npm has since removed the malicious versions of the library, and the crypto community continues to monitor developments as Solana projects work to safeguard their platforms.