CVE-2024-54134: 
JavaScript vulnerability analysis and mitigation

A publish-access account for @solana/web3.js, a widely used JavaScript library for Solana decentralized applications (dapps), was compromised on December 3, 2024. The breach occurred between 3:20pm UTC and 8:25pm UTC, allowing attackers to publish unauthorized and malicious versions (1.95.6 and 1.95.7) of the package. The vulnerability, tracked as CVE-2024-54134, received a CVSS score of 8.3 (High) (GitHub Advisory, NVD).

The compromised npm account was used to publish modified versions of the package that contained malicious code designed to exfiltrate private key material. According to security researcher Christophe Tafani-Dereeper, the backdoor in version 1.95.7 added an 'addToQueue' function that exfiltrated private keys through seemingly-legitimate Cloudflare headers (The Register).

The vulnerability primarily affects projects that directly handle private keys, particularly bots and applications that manage private keys directly. Non-custodial wallets were not affected as they generally do not expose private keys during transactions. According to Mert Mumtaz, CEO of Helius Labs, the financial loss from this incident was estimated at approximately 130,000 USD (The Register).

All Solana app developers are advised to upgrade to version 1.95.8. Developers who suspect they might be compromised should rotate any suspect authority keys, including multisigs, program authorities, and server keypairs. The malicious versions (1.95.6 and 1.95.7) have been unpublished from the npm registry (GitHub Advisory).