All was a fluter with the @solana/web3.js JavaScript library supply chain attack today. This isn't the first supply chain attack, and it most definitely won't be the last. Earlier this year, it was a backdoor in xz. Around this time last year, it was a malicious upload to Ledger's NPMJS (read the letter from the CEO). We've also seen it with @0xengine/xmlrpc with a little Monero mining, and data theft.
So what happened today was a drop in the ocean - two small versions (1.95.6 and 1.95.7), two very short timeframes (3:20 PM UTC and 8:25 PM UTC on December 2), and some $160,000 in stolen assets. You start seeing the most popular wallet, Phantom posting about it too (to reassure users they were never affected). Yes, reputations matter.
I first saw this from a post on Anza's account, followed by the address to blacklist, with a quick way to check. Then it is notable to see 0xMert be defensive, but it does make sense in a world of crazy reportage. But maybe the most interesting post had to be from Patrick Collins, because the money shot was, "1. Watched my Hardhat Javascript course from 2022 within the last 14 days, and didn't use my lock file".
Always be thinking of secure practices when you're going to be writing code that involves assets (NFTs, coins, etc. - things of value). Ensure that when you consume content, you're consuming quality content (there is a lot of interesting content on YouTube).
Experienced developers know that you should always pin your npm/yarn repositories (commit the package-lock.json
or yarn.lock
to the repo). Pinning prevents misery from supply chain attacks, in a world of rapid deploys, where you don't want to pick up the latest package per push.
Some of this is as simple as:
// Bad - allows floating versions
"dependencies": {
"@solana/web3.js": "^1.95.0"
}
// Good - pins exact version
"dependencies": {
"@solana/web3.js": "1.95.5"
}
So, write secure code, even if you're in a hurry. Use boilerplates with security in mind. Get the help of AI to audit your code. In Web3, version pinning isn't optional; it is essential. Why not 🚀 Master Solana Development in 14 Days and gain experience to ensure this doesn't happen to you. Learn about reproducible builds, security, semantic versioning, and more!
what do we all think about the /solana supply chain attack? https://paragraph.xyz/@bytebot.eth/the-solana-web3js-supply-chain-attack
nobody cares 😂 solana is for launching tokens.
launch the token, but have a wallet that gets drained with a supply chain attack (library being used), and you're in kind of trouble
I think it's fair to say we do not like supply chain attacks thanks for sharing. i hadn't seen this yet
nothign really to do with solana