ChainCatcher message, Slow Mist's cosine posted on X stating: "Caution @solana/web3.js supply chain poisoning, known versions 1.95.6 and 1.95.7 contain backdoor code that can steal user private keys. The new version no longer carries this risk. It is known that prominent wallets have not detected this risk, but real attacks have occurred.

It is speculated that perhaps third-party private key related tools (including bots) that timely update dependency packages have been compromised, as the poisoned versions lasted only a few hours before being discovered and taken down. If you are using this package, please be vigilant in checking."