Modified package published to npm, containing malware that exfiltrates private key material
- Severity:
- High
Description
Earlier today, a publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly.
Recommendation
Update the @solana/web3.js package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.95.6, < 1.95.8
- Patched version(s): 1.95.8
References
Related Issues
- tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled envir - CVE-2024-49364
- secp256k1-node allows private key extraction over ECDH - CVE-2024-48930
- ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function - CVE-2024-9506
- Lobe Chat API Key Leak - CVE-2024-37895
- Tags:
- npm
- @solana/web3.js
Anything's wrong? Let us know Last updated on January 22, 2026