Entries related to supply chain attack

December 2, 2024

Official Solana JavaScript library compromised in supply chain attack, at least $184,000 taken

An attacker was able to compromise an account that had publish access for the official Solana web3.js library, which is widely used by dApps to read and write from the Solana blockchain. The library gets over 350,000 downloads per week from the popular JavaScript package manager npm.

Malicious versions of the library allowed exploiters to steal private keys and drain funds from dApps like various Solana bots.

Around $184,000 was stolen as a result of the compromise. Although it was caught fairly quickly, and the malicious code was removed from package managers, developers will need to update projects that used the malicious version of the library, and refresh any potentially exposed secrets.

"Solana Web3.js library backdoored to steal secret, private keys", Bleeping Computer [archive]

October 31, 2024

Supply chain attack stemming from JavaScript animation library results in losses for users of 1inch and other platforms

Attackers were able to inject malicious code into the popular "LottieFiles" JavaScript animations library. Visitors to websites using the library saw a prompt to connect their crypto wallets to what was ultimately a cryptocurrency wallet drainer. This affected some crypto platforms that used the library, including the 1inch decentralized exchange aggregator. One victim who connected their wallet suffered the loss of 10 BTC (~$723,000).

Other crypto platforms affected included TEN Finance and Movement. Because the animations library is widely used, other non-crypto-related websites also showed the prompt.

"Crypto apps see malicious popups after Ace Drainer hacks animation library", CoinTelegraph
"LottieFiles hacked in supply chain attack to steal users’ crypto", BleepingComputer

December 14, 2023

Supply chain attack on Ledger puts much of defi at risk

(attribution)

A supply chain attack on the Ledger connector application has rippled throughout the world of decentralized apps, which widely use the software to enable people to connect their popular Ledger hardware wallets to perform transactions. Although hardware wallets are meant to be among the most secure ways to store crypto, they too are vulnerable to attacks when they are connected to perform transactions.

A hacker was able to obtain access to Ledger's source code management tool and push out a new release that contained code that would drain wallets as users connect them. Because the library is so widely used, many crypto applications were vulnerable — including Revoke.cash, a security-focused project intended to help people guard against attacks on their wallets.

CTO of the Sushi crypto project issued a broad warning: "Do not interact with ANY dApps until further notice." At least $600,000 has been drained from multiple users so far.

September 17, 2021

Supply chain attack drains $3 million from SushiSwap

A retro-looking website titled "JAY PEGS AUTO MART". There are buttons for "MINT' DONA" and "BIG OCEAN", and gifs of wacky inflatable tubes at the bottom.

Jay Pegs Auto Mart website (attribution)

SushiSwap's token platform, Miso, was hit with a supply chain attack that landed the attacker more than $3 million worth of Ethereum. Malicious code was injected into the platform's frontend by a contractor who submitted a pull request. The attacker was able to target a car-themed NFT auction called "Jay Pegs Auto Mart". However, the team discovered the identity of the attacker and the funds were returned after some legal threats.

"Inside the Hunt for the Jay Pegs Auto Mart Thief and 865 ETH", The Defiant
Another DeFi Hack: $3M in ETH Stolen From SushiSwap’s Token Platform, CryptoPotato
"$3M Was Stolen, but the Real Steal Is These Kia Sedonas, Say Anonymous Developers", Coindesk

No JavaScript? That's cool too! Check out the Web 1.0 version of the site to see more entries.