Solana’s SDK Snafu: When JavaScript Became a Wallet Thief!
Solana’s Web3.js library fell victim to a supply chain attack, with sneaky code stealing cryptocurrency private keys and draining wallets. The malicious versions, 1.95.6 and 1.95.7, were quickly pulled, but not before giving developers a reason to rotate their keys faster than a DJ at a dance party.
Hot Take:
Looks like the Solana SDK decided to play Santa Claus, giving out private keys faster than you can say “cryptocurrency heist.” While the blockchain stayed squeaky clean, the JavaScript library apparently thought it was auditioning for a villain role, making it a not-so-happy holiday season for some developers.
Key Points:
- Solana’s JavaScript SDK was compromised in a supply chain attack, leading to the theft of private keys and drained wallets.
- The malicious versions were 1.95.6 and 1.95.7, affecting projects that handle private keys directly.
- The attack was traced to the Solana address FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx, with stolen assets estimated at $184,000.
- Developers are advised to update to version 1.95.8 and rotate any compromised keys.
- The attack involved a sneaky “addToQueue” function that exfiltrated private keys to an attacker’s server.
Already a member? Log in here