A supply chain attack on the Solana network ecosystem was quickly contained during the past day.
On Dec. 3, Anza, a Solana-focused development team, revealed that an account with publish access to the solana/web3.js JavaScript library was compromised.
This allowed the attacker to inject unauthorized packages containing malicious code that stole private key information and drained funds from decentralized applications (dApps) that interact with private keys.
Solana blockchain safe
The attack did not affect non-custodial wallets, as these wallets do not expose private keys during transactions. Developers clarified that the issue is specific to the JavaScript client library and does not involve the Solana protocol.
A staunch Solana advocate, Mert Mumtaz, reassured the community that the attack was contained while pointing out that the incident had “nothing to do with the security of the [Solana] blockchain itself.”
He also explained that the issue mainly impacted developers who had updated their systems within a short time window, specifically those running JavaScript bots or similar backend systems using private keys. End-users and wallets were largely unaffected, as they do not expose private keys.
Meanwhile, several Solana-based projects, including Phantom and the Backpack exchange, confirmed that the exploit did not impact them.
Phantom, the most popular Solana wallet, emphasized that they had never used the compromised versions of @solana/web3.js, ensuring their users’ security remained intact.
Six-figure loss
While the attack was promptly contained, the pseudonymous developer of DeFiLlama 0xngmi reported that some investors lost six figures due to the incident.
On-chain data suggest that the malicious attack resulted in an estimated $160,000 in stolen assets, primarily in SOL. The attacker’s address held over $161,000 worth of SOL and additional tokens valued at over $31,000.
While the loss is significant, 0xngmi believes the damage could have been far worse. He explained that the hacker’s direct targeting of private keys may have limited the attack’s potential as a more sophisticated exploit, such as the one seen in last year’s Ledger hardware wallet compromise, could have been far more destructive.
In that incident, attackers replaced a legitimate library with a malicious one, resulting in losses exceeding $610,000
