CVE-2024-54134

Name of the Vulnerable Software and Affected Versions: @solana/web3.js versions 1.95.6 through 1.95.7

Description: A publish-access account was compromised for @solana/web3.js, a JavaScript library commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages, enabling them to steal private key material and drain funds from dapps that handle private keys directly. The issue does not affect non-custodial wallets, as they generally do not expose private keys during transactions. It is a problem with a specific JavaScript client library, affecting projects that directly handle private keys and updated within a specific time window.

Recommendations: For versions 1.95.6 and 1.95.7, upgrade to version 1.95.8. Developers that suspect they might be compromised should rotate any suspect authority keys, including multisigs, program authorities, server keypairs, and so on.