Phantom Safe from Solana Web3.js Bug; Upgrade to 1.95.8 Urged

Phantom, a prominent wallet provider in the Solana ecosystem, has reassured its users that it is unaffected by a critical vulnerability recently discovered in the Solana/web3.js library.

The exploit, found in versions 1.95.6 and 1.95.7, involved malicious code designed to steal private keys. This flaw severely threatened applications and developers relying on the compromised versions, potentially exposing user funds to theft.

Phantom’s security team confirmed in a statement on X that the wallet provider has never used these versions in its infrastructure, ensuring its users remain safe.

Phantom is not impacted by this vulnerability.

Our Security Team confirms that we have never used the exploited versions of @solana/web3.js https://t.co/9wHZ4cnwa1

— Phantom (@phantom) December 3, 2024

The vulnerability has sent ripples through the Solana developer community.

Solana developer Trent Sol, who first sounded the alarm, described the compromised versions as a “secret stealer” capable of leaking private keys through seemingly legitimate CloudFlare headers.

anyone using @solana/web3.js, versions 1.95.6 and 1.95.7 are compromised with a secret stealer leaking private keys. if you or your product are using these versions, upgrade to 1.95.8 (1.95.5 is unaffected)

if you run a service that can blacklist addresses, do your thing with…

— trent.sol (@trentdotsol) December 3, 2024

He urged developers and projects to immediately upgrade to version 1.95.8 or roll back to unaffected version 1.95.5.

Despite these vulnerabilities, major projects such as Drift, Solflare, and Phantom confirmed their immunity, either due to avoiding the impacted versions or deploying additional security layers.

Drift is not affected by this vulnerability.

The Drift codebase does not have dependency on the two compromised "@solana/web3.js" releases. https://t.co/0EbicREB7W

— Drift (@DriftProtocol) December 3, 2024

Solflare is not impacted by the recent issue with @solana/web3.js.

We enforce version locking and conduct rigorous code reviews, both manual and automated, to protect against supply-chain attacks.

Your keys remain safe and secure with Solflare. https://t.co/0jIdYzV1Kn

— Solflare – The Solana Wallet (@solflare_wallet) December 3, 2024

The Bug in Solana Web3.js Library: Who Is Affected?

According to a Socket.dev post, a supply chain attack compromised the Solana/web3.js library, a core component for developers building on Solana.

This type of attack, targeting dependencies widely used by developers, inserted a backdoor function named addToQueue into versions 1.95.6 and 1.95.7.

The malicious function enabled the exfiltration of private keys by disguising its activity as legitimate CloudFlare header data.

Once captured, these keys were transmitted to a hardcoded Solana wallet address identified as FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx.

Cybersecurity researchers, including Christophe Tafani-Dereeper from Datadog, analyzed the malicious versions and highlighted the sophisticated nature of the exploit.

They discovered that the domain used for the operation (sol-rpc[.]xyz) had been registered on November 22, just days before the attack became public.

The domain was hosted behind CloudFlare, with the command-and-control (C2) server now offline.

This timeline points to a carefully planned attack, likely due to a phishing or social engineering campaign targeting the library’s maintainers.

The npm package manager, which hosts Solana/web3.js, swiftly removed the compromised versions.

Developers using the affected versions were advised to update version 1.95.8 immediately or audit their projects for suspicious dependencies.

Broader Implications for Solana and Web3 Security

The Solana ecosystem has responded rapidly to mitigate the fallout.

In addition to Phantom, major projects like Backpack have assured their users that the exploit does not affect them.

No @Backpack wallets were affected by this.

Stay safe. https://t.co/xkpFQZJTjn

— Armani Ferrante (@armaniferrante) December 4, 2024

Supply chain attacks like this have become increasingly common as malicious actors target the tools and libraries developers rely on.

Earlier this year, a similar attack involved a malicious Python package named “Solana-py,” which masqueraded as a legitimate API to steal wallet keys.

Similarly, in October this year, the Checkmarx threat research team uncovered a new malware campaign on the Python Package Index (PyPI) repository, targeting cryptocurrency users through a malicious package named “CryptoAITools.”

The malware masquerades itself as a legitimate cryptocurrency trading tool and uses a deceptive graphical user interface to distract victims while executing malicious activities on Windows and macOS systems.

Once installed, the malware launches a sophisticated multi-stage infection process, downloading additional components from a fake website and stealing sensitive data such as wallet recovery phrases, saved passwords, browsing history, and even Apple Notes on macOS.

Beyond the initial infection through PyPI, the campaign extends to other platforms, employing multiple social engineering tactics to lure victims.