Backdoor slipped into popular code library, drains ~$155k from digital wallets

Backdoor slipped into popular code library, drains ~$155k from digital wallets

Briefly

This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly.

Ars Technicahttps://arstechnica.com/information-technology/2024/12/backdoor-slips-into-popular-code-library-drains-155k-from-digital-wallets/

Anza went on to urge all Solana app developers to upgrade to version 1.95.8, which at the time this post went live on Ars, was the latest available.

Ars Technicahttps://arstechnica.com/information-technology/2024/12/backdoor-slips-into-popular-code-library-drains-155k-from-digital-wallets/

The backdoor came in the form of code that collected private keys and wallet addresses when apps that directly handled private keys incorporated solana-web3.js versions 1.95.6 and 1.95.7.

Ars Technicahttps://arstechnica.com/information-technology/2024/12/backdoor-slips-into-popular-code-library-drains-155k-from-digital-wallets/

This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions.

Ars Technicahttps://arstechnica.com/information-technology/2024/12/backdoor-slips-into-popular-code-library-drains-155k-from-digital-wallets/