PANews reported on December 4 that SlowMist founder Yu Xian issued a warning that the 1.95.6 and 1.95.7 versions of the @solana/web3.js library had supply chain poisoning incidents, and these versions contained backdoor code that could steal user private keys. The new version has fixed the security risk, and mainstream well-known wallets have not been found to be affected.
It is reported that there have been real attack cases. Since the malicious version survived only a few hours before being discovered and removed from the shelves, the victims may be third-party private key-related tools or robots that timely update the dependency packages. Yu Xian reminds developers to check the versions of the relevant dependency packages used in the project in a timely manner.
