ChainCatcher message, Slow Mist Yu X stated: "Attention @solana/web3.js supply chain poisoning, known versions 1.95.6 and 1.95.7 contain backdoor code that can steal user private keys. The new version no longer has this risk. Well-known wallets have not found this risk, but real attacks have occurred.It is speculated that perhaps third-party private key-related tools (including bots) that update dependency packages in a timely manner were affected, as the poisoned versions only lasted a few hours before being discovered and removed. If you are using this package, please be cautious and check."

ChainCatcher news, Slow Mist founder Cosine stated that Lottie Player was attacked by supply chain poisoning, with Ace Drainer related to phishing gangs poisoning the front-end script module Lottie Player relied on by well-known Web3 projects. Fortunately, it was discovered in time, and the impact should be minimal.If your project uses the Lottie Player module, please check whether there is any malicious code introduced (currently known versions 2.0.4 and the latest 2.0.8 do not contain malicious code).