Backdoor in Compromised Solana Code Library Drains $184,000 from Digital Wallets (bleepingcomputer.com) 22
The Solana JavaScript SDK "was temporarily compromised yesterday in a supply chain attack," reports BleepingComputer, "with the library backdoored with malicious code to steal cryptocurrency private keys and drain wallets."
Solana offers an SDK called "@solana/web3.js" used by decentralized applications (dApps) to connect and interact with the Solana blockchain. Supply chain security firm Socket reports that Solana's Web3.js library was hijacked to push out two malicious versions to steal private and secret cryptography keys to secure wallets and sign transactions... Solana confirmed the breach, stating that one of their publish-access accounts was compromised, allowing the attackers to publish two malicious versions of the library... Solana is warning developers who suspect they were compromised to immediately upgrade to the latest v1.95.8 release and to rotate any keys, including multisigs, program authorities, and server keypairs...
Once the threat actors gain access to these keys, they can load them into their own wallets and remotely drain all stored cryptocurrency and NFTs... Socket says the attack has been traced to the FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx Solana address, which currently contains 674.86 Solana and varying amounts of the Irish Pepe , Star Atlas, Jupiter, USD Coin, Santa Hat, Pepe on Fire, Bonk, catwifhat, and Genopets Ki tokens. Solscan shows that the estimated value of the stolen cryptocurrency is $184,000 at the time of this writing.
For anyone whose wallets were compromised in this supply chain attack, you should immediately transfer any remaining funds to a new wallet and discontinue the use of the old one as the private keys are now compromised.
Ars Technica adds that "In social media posts, one person claimed to have lost $20,000 in the hack."
The compromised library "receives more than ~350,000 weekly downloads on npm," Socket posted. (Although Solana's statement says the compromised versions "were caught within hours and have since been unpublished."
Once the threat actors gain access to these keys, they can load them into their own wallets and remotely drain all stored cryptocurrency and NFTs... Socket says the attack has been traced to the FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx Solana address, which currently contains 674.86 Solana and varying amounts of the Irish Pepe , Star Atlas, Jupiter, USD Coin, Santa Hat, Pepe on Fire, Bonk, catwifhat, and Genopets Ki tokens. Solscan shows that the estimated value of the stolen cryptocurrency is $184,000 at the time of this writing.
For anyone whose wallets were compromised in this supply chain attack, you should immediately transfer any remaining funds to a new wallet and discontinue the use of the old one as the private keys are now compromised.
Ars Technica adds that "In social media posts, one person claimed to have lost $20,000 in the hack."
The compromised library "receives more than ~350,000 weekly downloads on npm," Socket posted. (Although Solana's statement says the compromised versions "were caught within hours and have since been unpublished."
Scammers gotta scam (Score:1)
Enough of your Bitcoin/Crypto stories.
A global money laundering cult.
Re: (Score:2)
Enough of your Bitcoin/Crypto stories.
There are crypto shilling stories and then there are ones like this which remind us why crypto is fundamentally broken for both currency use and value storage. Yes, if you are a highly financed criminal with the knowledge to work around the privacy problems, crypto has a number of benefits. For normal people it's a pyramid scheme.
Re: (Score:2)
Re:Scammers gotta scam (Score:4, Informative)
If anyone gets a look at your private key, your crypto is irrevokably gone.
If this happened to my internet banking app, my money gets returned.
Re: (Score:2)
Insurance? Which insurers are foolish enough to insure cryptocurrency wallets? I'd like to short their stock.
Besides, getting paid back by insurance is different than having a fraudulent transaction rolled back.
Re: (Score:3)
Enough of your Bitcoin/Crypto stories.
But thanks to AI song generation, now anyone can make an ode to all those stolen coins, so I did: Your Coins Are Gone (And They Ain’t Comin’ Back) [youtu.be].
So? (Score:3)
CODE IS LAW!!! (Right?)
BTC evangelists unaware of being victimized (Score:2)
Re: (Score:2)
Exactly. Never heard of Solano, Solana, whatever, or their stupid JS library.
Re: (Score:2)
Got em!
Re: (Score:2)
Re: (Score:1)
Well, since this compromise only affects Solana and has nothing to do with bitcoin, I'd estimate 0.
Re: (Score:2)
Re: (Score:2)
Exactly. It was transferred.
The hackers just did a little bit of DIY socialism, ain't nothin' wrong with that! /s
If only they'd used rust... (Score:3)
Everything would've been fine if they'd just used rust instead of javascript. I've been assured that rust solves all security problems! /j
Non-Trivial (Score:2)
> rotate any keys, including multisigs, program authorities, and server keypairs...
This is a huge undertaking in many scenarios.
Especially multisig - in some instances this involves flying people in from around the globe.
Wow, QA is valuable and missing QA is expensive.