Cosine: Previous versions of @solana/web3.js have security vulnerabilities, and there is a risk of user private key leakage.

According to Deep Tide TechFlow news, on December 4th, Slow Fog Cosine stated on X: 'Beware of @solana/web3.js supply chain poisoning, known versions 1.95.6 and 1.95.7 contain backdoor code that can steal user private keys. The new version no longer has this risk. Known wallets have not discovered this risk, but real attacks have occurred.'

The cosine conjecture may relate to third-party private key tools (including bots) that update dependency packages in a timely manner being compromised, as the poisoned version only survived for a few hours before being discovered and taken down. Users who utilize this package should be cautious in their investigations.

Previously, community users reported that versions 1.95.6 and 1.95.7 of @solana/web3.js have been confirmed to have security vulnerabilities. If the services operated by users have an address blacklist feature, the following address should be added to the blacklist: FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx.