Modified package published to npm, containing malware that exfiltrates private key material
- Severity:
- High
Description
Earlier today, a publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly.
Recommendation
Update the @solana/web3.js package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.95.6, < 1.95.8
- Patched version(s): 1.95.8
References
Related Issues
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758
- `sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js` - CVE-2025-62381
- matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
- Prototype pollution in ag-grid-community via the _.mergeDeep function (GHSA-876p-c77m-x2hc) - CVE-2024-38996
- Tags:
- npm
- @solana/web3.js
Anything's wrong? Let us know Last updated on December 04, 2024