The official Solana web3.js library was under attack for a critical five-hour window

NiqNiq
/Jul 18, 2025
The official Solana web3.js library was under attack for a critical five-hour window

Key Takeaways

• Hackers hijacked Solana’s npm package to publish malicious versions that silently exfiltrated private keys.

• The attack targeted apps and bots that directly handle private keys—non-custodial wallets like OneKey were unaffected.

• This was a supply chain attack at the npm level, not via GitHub. Developers must avoid blindly using @latest and always verify package versions.

• Teams maintaining key libraries should implement 2FA, limit publishing permissions, and adopt internal code review policies.

• Users should avoid custodial tools for critical funds—use non-custodial wallets and keep private keys offline.

• Developers should lock dependencies, review changelogs, and stay alert to community security updates.

• Fake npm packages mimicking Solana components are still out there—always verify before installing.

That was a close one.
 

Targeting project teams isn't cutting it for hackers anymore—they're now going straight for the jugular by attacking official blockchain libraries.

Not long ago, Solana Labs' official web3.js library was compromised. Altered code versions were released, enabling private key theft.
 

Thankfully, the breach was discovered in time. According to Solana Scan data, the damage was limited to around $160,000.
 

No bs—OneKey gives you a professional breakdown 

> What is @solana/web3.js?

 

It's Solana's official core JavaScript library, developed and maintained by the Solana Labs team, specifically for interacting with the Solana blockchain.

Most Solana applications you use (like Jupiter, Pumpfun) rely on it. With over 400,000 weekly downloads, it's one of the most commonly used tools for developing decentralized applications (dApps) on Solana, providing a complete API for operating the Solana blockchain.
 

Calling it the cornerstone of Solana's development ecosystem isn't an overstatement.
 

> What Happened? Detailed Breakdown of the Attack

The attack occurred between 11:20 PM on December 2, 2024, and 4:25 AM on December 3, 2024 (Beijing time).
 

Maintainers of the official Solana web3.js library fell victim to phishing or social engineering, compromising their computers or accounts.
 

After gaining access to accounts with publishing permissions, the hackers published two tampered versions of the web3.js library on npm: 1.95.6 and 1.95.7.
 

In these versions, they sneakily added a malicious function called addToQueue. On the surface, it appeared to handle normal network requests (like processing web requests), but it was actually stealing users' private keys—particularly affecting projects that directly handle private keys, like bots. The hackers invoked this malicious function in multiple places where private keys are normally processed.

According to security researcher Christophe Tafani-Dereeper, this attack method was highly cunning, with malicious code cleverly hidden within normal functionality.

They also set up a server with the domain name sol-rpc[.]xyz (which looks legit) to receive the stolen private keys. This server has now been shut down.
 

After the incident, Solana developer @trentdotsol was the first to report it. Multiple Solana-based projects like Solflare, Phantom Wallet, and Helium stated they weren't affected. Mainly because they didn't update to the compromised library versions during that time, and most non-custodial wallets don't expose private keys during transactions.
 

Note: Non-custodial wallets are ones where you keep your private keys yourself—they aren't stored on a server. For example, the OneKey hardware wallet is a hardcore non-custodial wallet that keeps your private keys completely offline from generation to storage. In contrast, various meme sniping trading bots are typical custodial wallets that store private keys on servers.
 

Because the attack lasted only five hours and the community responded quickly, losses were effectively controlled. According to Solscan data, attackers stole about $160,000 in crypto. For a blockchain attack, that's relatively minor.
 

Once the problem was discovered, the affected versions were immediately removed from the npm registry, and a safe version 1.95.8 was released. The community actively urged developers to update to the latest version ASAP and rotate any potentially compromised keys and credentials.

> What Did We Learn? Key Takeaways

1. For Users:

This attack targeted non-custodial wallets or services that directly use private keys locally during operation.
 

Be cautious when using custodial wallets (where you don't hold your private keys—like various meme trading bots) and similar online services. These tools and services often have multiple "risk points" and can easily be targeted by hackers or even insiders—since private keys are usually stored on servers.

Don't store large funds in such wallets and services. Use non-custodial wallets and keep your private keys and seed phrases offline. Consider using hardware wallets. We previously made a detailed comparison of wallet security pros and cons (link). If you're unfamiliar with these concepts and still think in terms of Web2 logins, definitely check it out.
 

Always remember in Web3: "Not your keys, not your coins." The core of managing any crypto assets is the private key.
 

2. For Upstream Supply Chain:

Supply chain security is paramount. We hope the Solana Labs team learns from this. Employees should be prepared against social engineering and phishing attacks. Ensure npm accounts have multi-factor authentication enabled to prevent easy account breaches, and restrict publishing permissions for critical dependency packages. As the official source in the supply chain, you can't be too cautious with security measures.
 

3. For Developers:

Some might ask, "Who reviewed that PR (pull request)? How did it get merged?"

Actually, this attack didn't involve the GitHub source code repository. The hackers directly published the npm package, which doesn't require code to be submitted to the source repo. As long as you have publishing permissions, you can run a simple command npm publish on your computer to upload the code package to the npm server. Reportedly, there were 14 accounts with publishing permissions... (Source https://x.com/beeman_nl/status/1864120050627567768)

Quick Explainer: npm stands for Node Package Manager—a tool for sharing and managing JavaScript code libraries. Developers can conveniently download code packages shared by others via npm to speed up development.

Those who got hit likely didn't pay attention to package versions and casually used the latest version, or happened to need an upgrade at that time. Simply running npm install @solana/web3.js or npm install @solana/web3.js@latestduring the malicious version's release window would compromise you.

So, be cautious with @latest! Avoid automatically updating dependencies without oversight. Check changelogs and community feedback before updating.
 

To prevent similar attacks, developers should carefully check package versions and sources when installing and updating dependencies, stay informed about security announcements, and use lock files (like package-lock.json) to ensure the reliability of dependency versions.
 

Moreover, npm package phishing doesn't stop there. A few days ago, Socket warned about a fake Solana-themed npm package called solana-systemprogram-utils, designed to silently redirect users' funds to an attacker's hardcoded wallet address in 2% of transactions. Always verify before use.

> That's it.

Secure Your Crypto Journey with OneKey

View details for OneKey ProOneKey Pro

OneKey Pro

Touch. Scan. Own It.

View details for OneKey Classic 1SOneKey Classic 1S

OneKey Classic 1S

Pocket-Light, Bank-Tight.

View details for OneKey SifuOneKey Sifu

OneKey Sifu

Crypto Clarity—One Call Away.

Keep Reading