Modified package published to npm, containing malware that exfiltrates private key material
- Severity:
- High
Description
Earlier today, a publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly.
Recommendation
Update the @solana/web3.js package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.95.6, < 1.95.8
- Patched version(s): 1.95.8
References
Related Issues
- matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
- Handling untrusted input can result in a crash, leading to loss of availability / denial of service - CVE-2024-30253
- JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 3 - CVE-2022-36083
- JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 2 - CVE-2022-36083
- Tags:
- npm
- @solana/web3.js
Anything's wrong? Let us know Last updated on December 04, 2024