Solana is one of the most popular blockchain platforms, supporting over 3,000 decentralized applications (dapps) and consistently ranking among the top blockchains by total value locked (TVL), which exceeds $10 billion. Currently, there is no evidence of active exploitation nor a public proof-of-concept for CVE-2024-54134. However, the presence of malicious packages capable of stealing private keys highlights the need for urgent action to protect applications and users.
| Product | Solana |
| Date | 2024-12-09 15:13:27 |
| Information |
|
Technical Summary
CVE-2024-54134 highlights a severe supply chain attack on the Solana ecosystem. Unauthorized and malicious versions of the JavaScript library @solana/web3.js (versions 1.95.6 and 1.95.7) were published due to the compromise of an account with publishing access. These versions were specifically designed to steal private key material, allowing attackers to drain funds from Solana dapps and bots that handle private keys directly.
Recommendations
Update Immediately: Ensure your application is using version 1.95.8 or later of the @solana/web3.js library.
[Callforaction-THREAT-Footer]
