Phantom, a prominent wallet provider in the Solana ecosystem, has reassured its users that it is unaffected by a critical vulnerability recently discovered in the Solana/web3.js library.
The exploit, found in versions 1.95.6 and 1.95.7, involved malicious code designed to steal private keys. This flaw severely threatened applications and developers relying on the compromised versions, potentially exposing user funds to theft.
Phantom’s security team confirmed in a statement on X that the wallet provider has never used these versions in its infrastructure, ensuring its users remain safe.
Phantom is not impacted by this vulnerability.
Our Security Team confirms that we have never used the exploited versions of @solana/web3.js https://t.co/9wHZ4cnwa1
The vulnerability has sent ripples through the Solana developer community.
Solana developer Trent Sol, who first sounded the alarm, described the compromised versions as a “secret stealer” capable of leaking private keys through seemingly legitimate CloudFlare headers.
anyone using @solana/web3.js, versions 1.95.6 and 1.95.7 are compromised with a secret stealer leaking private keys. if you or your product are using these versions, upgrade to 1.95.8 (1.95.5 is unaffected)
if you run a service that can blacklist addresses, do your thing with…
He urged developers and projects to immediately upgrade to version 1.95.8 or roll back to unaffected version 1.95.5.
Despite these vulnerabilities, major projects such as Drift, Solflare, and Phantom confirmed their immunity, either due to avoiding the impacted versions or deploying additional security layers.
Drift is not affected by this vulnerability.
The Drift codebase does not have dependency on the two compromised “@solana/web3.js” releases. https://t.co/0EbicREB7W
— Solflare – The Solana Wallet (@solflare_wallet) December 3, 2024
The Bug in Solana Web3.js Library: Who Is Affected?
According to a Socket.dev post, a supply chain attack compromised the Solana/web3.js library, a core component for developers building on Solana.
This type of attack, targeting dependencies widely used by developers, inserted a backdoor function named addToQueue into versions 1.95.6 and 1.95.7.
The malicious function enabled the exfiltration of private keys by disguising its activity as legitimate CloudFlare header data.
Once captured, these keys were transmitted to a hardcoded Solana wallet address identified as FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx.
Cybersecurity researchers, including Christophe Tafani-Dereeper from Datadog, analyzed the malicious versions and highlighted the sophisticated nature of the exploit.
They discovered that the domain used for the operation (sol-rpc[.]xyz) had been registered on November 22, just days before the attack became public.
The domain was hosted behind CloudFlare, with the command-and-control (C2) server now offline.
This timeline points to a carefully planned attack, likely due to a phishing or social engineering campaign targeting the library’s maintainers.
The npm package manager, which hosts Solana/web3.js, swiftly removed the compromised versions.
Developers using the affected versions were advised to update version 1.95.8 immediately or audit their projects for suspicious dependencies.
Broader Implications for Solana and Web3 Security
The Solana ecosystem has responded rapidly to mitigate the fallout.
In addition to Phantom, major projects like Backpack have assured their users that the exploit does not affect them.
The malware masquerades itself as a legitimate cryptocurrency trading tool and uses a deceptive graphical user interface to distract victims while executing malicious activities on Windows and macOS systems.
Once installed, the malware launches a sophisticated multi-stage infection process, downloading additional components from a fake website and stealing sensitive data such as wallet recovery phrases, saved passwords, browsing history, and even Apple Notes on macOS.
Beyond the initial infection through PyPI, the campaign extends to other platforms, employing multiple social engineering tactics to lure victims.
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.
By Nermeen Nabil Khear 