According to Odaily, a security concern has been raised regarding the Solana/web3.js library. A post by SlowMist's Cosine on X highlighted a supply chain attack affecting versions 1.95.6 and 1.95.7 of the library, which contained backdoor code capable of stealing users' private keys. Fortunately, the latest version of the library has addressed this vulnerability, eliminating the associated risk.
While no major wallets have reported being affected by this issue, actual attacks have occurred. It is speculated that third-party tools related to private keys, including bots, might have been compromised due to their timely updates of dependency packages. The malicious versions of the library were available for only a few hours before being detected and removed. Users who have utilized this package are advised to conduct thorough checks to ensure their systems are secure.