Sign in / up

back to article Solana blockchain's popular web3.js npm package backdoored to steal keys, funds

Malware-poisoned versions of the widely used JavaScript library @solana/web3.js were distributed via the npm package registry, according to an advisory issued Wednesday by project maintainer Steven Luscher. An advisory, covering CVE-2024-54134 (CVSS-B: 8.3 High), explains that a hijacked @solana account with permission to …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Doctor Syntax Silver badge

    Blockchain. The gift that keeps on taking.

    23 0 Reply
    1. An_Old_Dog Silver badge
      Reply Icon
      Flame

      Cryptographic Code-Signing:

      The long-known technique which companies, organisations, and developers either fail to use, or keep fucking up.

      7 1 Reply
      1. sabroni Silver badge
        Reply Icon

        Re: Cryptographic Code-Signing:

        They compromised the source and ran the build. The build signs the compromised package. Users check that it's signed and installs it.

        I'm not sure what you are trying to say with this. How do you think Cryptographic Code-signing is relevant here?

        4 0 Reply
        1. An_Old_Dog Silver badge
          Reply Icon

          Re: Cryptographic Code-Signing:

          @sabroni:

          a hijacked @solana account with permission to publish the library was used to add malicious code.

          How was that account hijacked? Password == "123456"? Dev web-surfed on a machine signed into that Solana account, or on a machine which had the Solana account creds or keys stored on it, instead of surfing from a VM? Somebody put the Solana account PW in a repo?

          Fuckup. Locks are useless if you leave the keys in the lock, or on the ground somewhere.

          0 0 Reply
      2. Irongut Silver badge
        Reply Icon

        Re: Cryptographic Code-Signing:

        Apparently old dogs don't understand the lack of security provided by their old tricks.

        What a shame they are unable to learn new ones.

        1 0 Reply
      3. CowHorseFrog Silver badge
        Reply Icon

        Re: Cryptographic Code-Signing:

        code signing wouldnt solve anything. Most dependency management config files never use exact version numbers, which means at anytime a new version could be sucked in and that new version coul dhave a backdoor.

        0 2 Reply
    2. CowHorseFrog Silver badge
      Reply Icon

      Given RUssias disconnection from swift, i wonder how much of a new weapon Bitcoin and all the other bullshit coins is too helping Putin.

      0 2 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like