Home News The @Solana/web3.js Incident
News

The @Solana/web3.js Incident

The security of the supply chain in software development is critical, especially with the increasing reliance on open-source libraries. On December 2, 2024, the Solana community experienced a severe supply chain security breach involving the popular @solana/web3.js npm package. This library, essential for developers working on the Solana blockchain, is downloaded over 450,000 times weekly. The incident highlights vulnerabilities in the software supply chain and underscores the need for proactive measures to ensure security. Here’s a breakdown of the event and its implications.

What happened?

Incident Scope:

  • The breach affected versions 1.95.6 and 1.95.7 of the @solana/web3.js library.
  • The attack occurred due to a phishing compromise of credentials used for publishing npm packages.

Attack Details:

  • Attackers inserted a backdoor function called addToQueue, designed to capture and exfiltrate private keys used for signing transactions and accessing wallets.
  • Malicious code was embedded in cryptographic functions, such as Keypair.fromSecretKey and Keypair.fromSeed.
  • The compromised versions were available on npm for about five hours, during which applications updating or installing these versions were at risk.
Figure 1. addToQueue backdoor introduced on version 1.95.6
Figure 1. addToQueue backdoor introduced on version 1.95.6

Impact of the Incident

Financial Losses:

  • Estimated damage: $130K (reported by Mert Mumtaz, CEO of Helius Labs).
  • Quick Response: The Solana team acted swiftly, limiting the download window of compromised versions to just five hours.
  • Clarifications: The issue was limited to the JavaScript client library and did not compromise the security of the blockchain itself.
Figure 2. Mert Mumtaz’s post
Figure 2. Mert Mumtaz’s post

Remediation Suggestions

  • Upgrade to Version 1.95.8: The malicious code was removed in this version.
  • Rotate All Suspect Keys: Includes multisigs, program authorities, server key pairs, and more.
  • Monitor Libraries: Use tools that provide alerts for compromised packages.

Detection by Mend

Mend tracked the issue as MSC-2024-17462 and MSC-2024-17463, issuing alerts for affected versions to its customers.

The Solana team has also issued a CVE profile to address the issue.

The Importance of Supply Chain Security

This is the third major supply chain attack in the last six months, following incidents with the Lottie player and polyfill libraries. Other notable attacks include the XZ incident earlier this year and ongoing North Korean attacks on developers.

Companies often prioritize vulnerabilities over malicious packages, overlooking the immediate compromise caused by the latter. There’s a pressing need to allocate more resources to secure the supply chain and outsourced operations.

Conclusion

The @solana/web3.js incident highlights the persistent risks associated with supply chain security. While the financial damage was contained, it serves as a critical reminder of the importance of vigilance and proactive measures. Developers and organizations must take supply chain security seriously and invest in safeguarding their ecosystems against evolving threats.

Other materials on the topic

SAST vs. SCA

SAST vs. SCA: 6 Key Differences

20.03.2026
The AI Control Problem

The Use of AI for Code Development at Amazon: A Control Problem in the Industry

16.03.2026
MCP Security

MCP Security: 10 Essential Areas to Protect and Critical Best Practices

09.03.2026

Підписатися на новини

    Leave your contact details and we will get in touch with you