Cover photo

The Solana web3.js Supply Chain Attack

Isn't the first time, won't be the last time, be secure in your programming

colin charles

All was a fluter with the @solana/web3.js JavaScript library supply chain attack today. This isn't the first supply chain attack, and it most definitely won't be the last. Earlier this year, it was a backdoor in xz. Around this time last year, it was a malicious upload to Ledger's NPMJS (read the letter from the CEO). We've also seen it with @0xengine/xmlrpc with a little Monero mining, and data theft.

So what happened today was a drop in the ocean - two small versions (1.95.6 and 1.95.7), two very short timeframes (3:20 PM UTC and 8:25 PM UTC on December 2), and some $160,000 in stolen assets. You start seeing the most popular wallet, Phantom posting about it too (to reassure users they were never affected). Yes, reputations matter.

I first saw this from a post on Anza's account, followed by the address to blacklist, with a quick way to check. Then it is notable to see 0xMert be defensive, but it does make sense in a world of crazy reportage. But maybe the most interesting post had to be from Patrick Collins, because the money shot was, "1. Watched my Hardhat Javascript course from 2022 within the last 14 days, and didn't use my lock file".

Always be thinking of secure practices when you're going to be writing code that involves assets (NFTs, coins, etc. - things of value). Ensure that when you consume content, you're consuming quality content (there is a lot of interesting content on YouTube).

Experienced developers know that you should always pin your npm/yarn repositories (commit the package-lock.json or yarn.lock to the repo). Pinning prevents misery from supply chain attacks, in a world of rapid deploys, where you don't want to pick up the latest package per push.

Some of this is as simple as:

// Bad - allows floating versions

"dependencies": {

"@solana/web3.js": "^1.95.0"

}

// Good - pins exact version

"dependencies": {

"@solana/web3.js": "1.95.5"

}

So, write secure code, even if you're in a hurry. Use boilerplates with security in mind. Get the help of AI to audit your code. In Web3, version pinning isn't optional; it is essential. Why not 🚀 Master Solana Development in 14 Days and gain experience to ensure this doesn't happen to you. Learn about reproducible builds, security, semantic versioning, and more!

Collect this post as an NFT.

Subscribe to Developers, developers, developers! to receive new posts directly to your inbox.

anonFarcaster
anon
Commented 3 months ago

what do we all think about the /solana supply chain attack? https://paragraph.xyz/@bytebot.eth/the-solana-web3js-supply-chain-attack

JR ↑Farcaster
JR ↑
Commented 3 months ago

nobody cares 😂 solana is for launching tokens.

Colin CharlesFarcaster
Colin Charles
Commented 3 months ago

launch the token, but have a wallet that gets drained with a supply chain attack (library being used), and you're in kind of trouble

adrienneFarcaster
adrienne
Commented 3 months ago

I think it's fair to say we do not like supply chain attacks thanks for sharing. i hadn't seen this yet

Benjamin BascheFarcaster
Benjamin Basche
Commented 3 months ago

nothign really to do with solana

The Solana web3.js Supply Chain Attack