Unknown malicious actors compromised an open source library affiliated with the Solana blockchain platform, putting untold numbers of cryptocurrency platforms and individual wallets at risk of theft.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor of the Malware Binary Triage (IMBT) course starting this Black Friday and Cyber Monday!
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: This is an affiliate link – your enrollment helps support this platform at no extra cost to you.
The npm package @solana/web3.js is a Javascript API for use with the Solana blockchain platform. It ranks among the top 10,000 projects in the npm community with more than 3,000 dependent projects generating 400,000 weekly downloads and 51 million total recorded downloads.
Versions 1.95.6 and 1.95.7 of the npm package @solana/web3.js were discovered to contain malicious functions intended to steal sensitive information. A GitHub Advisory published on Tuesday warned that “any computer that has this package installed or running should be considered fully compromised.”
Developers should downgrade to Version 1.95.5 or upgrade to 1.95.8 of the web3.js library and rotate “all secrets and keys stored on that computer” immediately from a different, unaffected system. Given the nature of the compromise, it is possible that attackers will maintain a presence on the infected system even after the compromised library is removed, GitHub warned.
Here’s what you need to know about the crypto-focused malware.
Differential analysis of Solana package finds malicious URLs
The ReversingLabs research team used RL’s differential analysis and found clear evidence of a compromise including malicious behaviors like stealing and sending private keys to an external source (hxxps[:]//sol-rpc[.]xyz/api/rpc/queue). Differential analysis found new file content in both 1.95.6 and .7 compared with previous, non malicious versions of web3.js that contained the URLs of suspicious top-level domains (Source: RL Spectra Assure policy TH17118).
Analysis of the affected web3.js packages by Christophe Tafani-Dereeper, a researcher working for the firm Datadog, identified backdoor code inserted in v1.95.7 that adds a function, “addToQueue,”designed to exfiltrate private keys using legitimate-seeming CloudFlare headers. Calls to the “addToQueue” function were inserted in locations that are used to access the private key, he said.
Differential analysis of the web3.js package detected four files in the modified packages that contained links to a suspicious top level domain: sol-rpc[.]xyz. Research by Tafani-Dereeper determined that the domain was first registered in November and was hosted by Cloudflare.
Compromised account to blame for supply chain hack?
How the malicious actors gained control over the web3.js npm library was still a mystery as of late Wednesday. However, there is evidence that the compromise of a web3.js maintainer account may be to blame. A social media post by Anza, a Solana-focused R&D firm late Tuesday claimed that a publish-access account was compromised by the malicious actors, giving them access to private keys and possibly enabling them to drain funds from crypto bots and other decentralized apps (dapps) that manage private keys directly during transactions.
However, non-automated dapps would not be affected by the compromise. And only dapps that updated their web3.js library between roughly 3pm (UTC) Tuesday, December 2, and 8:30pm Tuesday would be affected — the short window during which the malicious code was undetected.
Crypto: A common supply chain target
Code and infrastructure linked to cryptocurrencies are a frequent target of sophisticated cyber attacks, including Solana. In 2022, more than 7,000 wallets containing Solana cryptocurrency were emptied in an attack that exploited a previously undisclosed (zero-day) attack. Subsequent campaigns have targeted Solana developers with malicious packages typo-squatting Solana applications.
Article Link: Malware found in Solana npm library — with 50m downloads
1 post – 1 participant
Unknown malicious actors compromised an open source library affiliated with the Solana blockchain platform, putting untold numbers of cryptocurrency platforms and individual wallets at risk of theft.
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor of the Malware Binary Triage (IMBT) course starting this Black Friday and Cyber Monday!
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: This is an affiliate link – your enrollment helps support this platform at no extra cost to you.
The npm package @solana/web3.js is a Javascript API for use with the Solana blockchain platform. It ranks among the top 10,000 projects in the npm community with more than 3,000 dependent projects generating 400,000 weekly downloads and 51 million total recorded downloads.
Versions 1.95.6 and 1.95.7 of the npm package @solana/web3.js were discovered to contain malicious functions intended to steal sensitive information. A GitHub Advisory published on Tuesday warned that “any computer that has this package installed or running should be considered fully compromised.”
Developers should downgrade to Version 1.95.5 or upgrade to 1.95.8 of the web3.js library and rotate “all secrets and keys stored on that computer” immediately from a different, unaffected system. Given the nature of the compromise, it is possible that attackers will maintain a presence on the infected system even after the compromised library is removed, GitHub warned.
Here’s what you need to know about the crypto-focused malware.
Differential analysis of Solana package finds malicious URLs
The ReversingLabs research team used RL’s differential analysis and found clear evidence of a compromise including malicious behaviors like stealing and sending private keys to an external source (hxxps[:]//sol-rpc[.]xyz/api/rpc/queue). Differential analysis found new file content in both 1.95.6 and .7 compared with previous, non malicious versions of web3.js that contained the URLs of suspicious top-level domains (Source: RL Spectra Assure policy TH17118).
Analysis of the affected web3.js packages by Christophe Tafani-Dereeper, a researcher working for the firm Datadog, identified backdoor code inserted in v1.95.7 that adds a function, “addToQueue,”designed to exfiltrate private keys using legitimate-seeming CloudFlare headers. Calls to the “addToQueue” function were inserted in locations that are used to access the private key, he said.
Differential analysis of the web3.js package detected four files in the modified packages that contained links to a suspicious top level domain: sol-rpc[.]xyz. Research by Tafani-Dereeper determined that the domain was first registered in November and was hosted by Cloudflare.
Compromised account to blame for supply chain hack?
How the malicious actors gained control over the web3.js npm library was still a mystery as of late Wednesday. However, there is evidence that the compromise of a web3.js maintainer account may be to blame. A social media post by Anza, a Solana-focused R&D firm late Tuesday claimed that a publish-access account was compromised by the malicious actors, giving them access to private keys and possibly enabling them to drain funds from crypto bots and other decentralized apps (dapps) that manage private keys directly during transactions.
However, non-automated dapps would not be affected by the compromise. And only dapps that updated their web3.js library between roughly 3pm (UTC) Tuesday, December 2, and 8:30pm Tuesday would be affected — the short window during which the malicious code was undetected.
Crypto: A common supply chain target
Code and infrastructure linked to cryptocurrencies are a frequent target of sophisticated cyber attacks, including Solana. In 2022, more than 7,000 wallets containing Solana cryptocurrency were emptied in an attack that exploited a previously undisclosed (zero-day) attack. Subsequent campaigns have targeted Solana developers with malicious packages typo-squatting Solana applications.
Article Link: Malware found in Solana npm library — with 50m downloads
1 post – 1 participant
Read full topic