Upgrade to Address Web3.js Issue

Phantom has confirmed that it is not affected by a vulnerability discovered in the Solana library (Solana/web3.js).

Phantom, a wallet provider running on the Solana (SOL) blockchain, has confirmed that it is secure following a recently discovered vulnerability in the Solana/Web3.js library. According to a statement published on

@solana/web3.js, it is stated that everyone using versions 1.95.6 and 1.95.7 has been compromised by an undercover thief who leaks private keys. If you or your product are using these versions, upgrade to 1.95.8 (1.95.5 is not affected)

If you are running a service that can blacklist addresses, do this:

— trent.sol (@trentdotsol) December 3, 2024
@solana/web3.js Don’t use versions 1.95.6 and 1.95.7, it says Trent.sol in the X profile.

Earlier today, Solana developer Trent Sol warned users about the compromised library. It informed users that these versions may put users at risk of stealth attacks that could lead to leakage of private keys used to access and secure wallets. Trent insisted that products and developers using the compromised versions upgrade to version 1.95.8. However, previous versions such as 1.95.5 are not affected by the issues.

Phantom is not affected by this vulnerability.

Our Security Team confirms that we have never used exploited versions of @solana/web3.js https://t.co/9wHZ4cnwa1.

— Ghost (@ghost) December 3, 2024
Phantom considers itself safe from solana/web3.js vulnerabilities. Solana ecosystem fixes Web3.js vulnerability

The Solana ecosystem responded quickly to fixing the vulnerability. Major projects like Drift, Phantom, and Solflare notified their communities that they were not affected because they did not use the compromised version or had other security measures in place to keep them safe. Developers and projects of the ecosystem are also asked to check their dependencies and update their libraries to ensure that funds and data remain safe.

Increase in security vulnerabilities

Trent Sol’s disclosure of the vulnerability reflects a larger security issue that blockchain ecosystems often have to deal with. Forensic analysis shows that corrupted versions of the library contain hidden commands intended to capture private keys and transmit them to a wallet called FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx. Cloud security researcher Christophe Tafani-Dereeper from Datadog highlighted the complexity of the backdoor in Bluesky.

Developer Tafani-Dereeper conducts forensic analysis of solana/web3.js vulnerabilities.

Such risks have become increasingly common, as evidenced by a malicious package incident involving the Python Package Directory, commonly known as PyPl, reported by The Hacker News earlier this year. The “solana-py” package disguised itself as the legitimate Solana Python API to steal Solana wallet keys and exfiltrate them to an attacker-controlled server. It also exploited name similarities to fool developers, leading to 1,122 downloads before it was removed.