Source: https://blog.colosseum.com/supply-chain-attack-rpcv2-solana-september/
Supply Chain Attack, Solana RPC Infrastructure RFPs, QuickNode Solana September Update
The next Colosseum hackathon, Cypherpunk, officially kicks off on September 25 and registrations are now open! Tracks, prizes, and sponsors will be unveiled as we get closer to kickoff so get registered and get ready.
Here's what's featured in this week's issue:
- Lessons learned from a huge NPM supply chain attack
- Solana Foundation releases Solana RPCv2 Infrastructure RFPs
- A Solana update for September 2025 from QuickNode
๐ก️ Supply Chain Attack
Earlier this week, attackers pulled off a huge supply chain attack in history, compromising NPM maintainer accounts and pushing malicious code into JavaScript packages like chalk, error-ex, and others.
A contributor was compromised after falling victim to a phishing email. With those credentials, the attacker got control of their NPM account and pushed malicious updates to widely used packages
Maintainers, npm’s security team, and researchers quickly flagged the issue after build errors exposed the malicious code. The affected packages were rolled back to safe versions within hours, and npm began scrubbing compromised versions from the registry.
What Developers Can Do to Protect Themselves:
- Pin Dependencies: Use overrides in package.json to lock critical dependencies to known-safe versions.
- Audit Regularly: Run dependency audits and monitor for suspicious or unpublished versions in your lockfile.
- Harden CI/CD: Fail builds on unexpected updates or obfuscated code. Even a small anomaly can be a red flag.
- Security Awareness: Train teams to recognize phishing emails. This entire incident started with a single malicious link.
Despite the massive scale the actual financial damage was negligible. Researchers tracking attacker wallets reported that the malware only managed to steal less than $1000 in assets.
Anatomy of a Billion-Download NPM Supply-Chain Attack
๐ฎ Solana RPC Infrastructure RFPs
The Solana Foundation is funding the next generation of infrastructure with three RFPs to modernize how developers query accounts, access historical data, and stream network activity.
- RPCv2 Accounts Service: Funds a standalone accounts RPC service built for performance with faster account queries, websocket subscriptions, and a decoupled architecture.
- RPCv2 Historical Service: Supports building a modular, open-source historical RPC service with cheaper, pluggable database backends and cold storage support.
- RPCv2 Streaming Service: Supports building a lightweight streaming node that uses fewer resources and can easily share data with other services.
Each RFP is open until October 10, 2025, with grants available for contributors. Developers interested in contributing can apply for these grants here.
Alongside the new RFPs, the Solana Foundation announced the formation of an RPC working group to coordinate RPC operators, application developers, and grant recipients on development of the next-generation read layer.
Teams funded through the RFPs will join the working group, receive follow-up maintenance grants, and collaborate under a shared AGPL-licensed codebase ensuring the new infrastructure is open, auditable, and community-owned.
Solana RPCv2 Infrastructure RFPs
๐ Solana September Update
The Solana update for Sept 2025 from QuickNode covers progress across the Solana ecosystem, with several key developments.
Nearly 15% of mainnet is now running on dedicated fiber through DoubleZero. This provides validators with low-latency, deterministic connections,helping improve overall network speed.
Validator software continues to advance with Agave recently surpassing 1.1M TPS in synthetic benchmarks.
The Jito fork of Agave introduced block assembly marketplace technology, which processes transactions in a trusted execution environment that mitigates MEV by keeping transaction details private until they are included in a block.
Solana validators approved the move to the new Alpenglow protocol for block distribution, which should enable transaction confirmations in 150 milliseconds.
On the RPC side, QuickNode has invested in infrastructure upgrades and published live benchmarks comparing Solana RPC performance across providers to measure RPC latency and reliability in real time.
Ecosystem programs also saw significant progress.
Switchboard reported major performance improvements, claiming updates that are up to one thousand times more efficient than competitors.
At the application level, revenue for Solana programs reached an all-time high. This indicates that developers on the network are generating meaningful income and that activity on Solana continues to grow.
Check out the full video for additional details.
QuickNode Solana Update September 2025
⚡ Quick Hits
Rektoff Solana Rust Security Bootcamp Cohort 2 Applications are Open - @rektoff_xyz
How Solflare became Solana’s self-custodial wallet for everyday users - Token Relations
P-Token: Solana’s Next Big Efficiency Unlock - Helius
Measuring growth in crypto: What’s different, what matters, and what needs to be adapted - a16zcrypto
Introducing Confidential Transfers on Solana: A New Era of Privacy - @UmbraPrivacy
Shank docs are live now with guides, examples, and macro references - @Metaplex
Breaking down Solana & Ethereum: Fees - @_JonahB_
What’s the Solana Collective and how do I join - @damiwho_
⚙️ Tools & Resources
sb-on-demand-examples is a collection of example repositories for Switchboard's On-Demand SDK 0.8.0 that includes real-time price feeds and data oracles, Verifiable Random Function (VRF) for trustless randomness, and secure and reliable secret management
shadcn-registry for Wallet UI installs a wallet component from the registry for customization and styling like any other shadcn/ui component without being locked into a fixed library.
๐ฉ๐ง Get Hired
- Orca is hiring a Product Analyst
- Kast is hiring a Mobile Team Lead (Flutter)
- Jito Labs is hiring a Validator Relations Associate
- Triton is hiring a Senior Network Engineer (Remote)
- Solstice Labs is hiring an Infrastructure Engineer
๐ Event Calendar
Solana Ideathon Krakรณw, Poland, Sept 24
The Solana Ideathon, hosted by Superteam Poland, is a six-city tour across Poland that includes talks, workshops, and pitching sessions with a relaxed community atmosphere designed to spark new startup ideas on Solana.
OnlyDevs, Mumbai, India, Oct 4
OnlyDevs is an in-person event featuring talks from CTOs and founding engineers, opportunities to connect with high-quality peers, a well-equipped venue for work and collaboration, and a demo day for showcasing prototypes.
Accelerate Berlin - Solana Ideathon, Berlin, Germany, Oct 10
Solana Superteam Germany is hosting a Berlin Ideathon where builders can form teams, develop ideas, and pitch to a jury for a share of 1,500 USDC in prizes. The event features live startup pitches, investor insights, and networking, making it a key warm-up for the upcoming Cypherpunk Hackathon in Sept/Oct.
๐ง Listen to This
When Shift Happens
Lily Liu, President of the Solana Foundation, lays out her vision for how Bitcoin and Solana together can replace traditional banking.
She frames Bitcoin as digital gold, serving as a global store of value, while Solana functions as the high-speed transaction layer capable of providing financial infrastructure for the 5.5 billion people excluded from today’s system.
Liu discusses the barriers of traditional banking, including her own experience being blocked by banks, and contrasts them with the open, permissionless nature of crypto.
She explains how Solana enables internet-native financial services, why decentralization matters for global access, and how the ecosystem can avoid cultural pitfalls while scaling.
The conversation highlights the complementary roles of Bitcoin and Solana in building a permissionless, global financial network designed for the internet age.
Solana President: How Bitcoin and Solana Are the Future of Banking
Follow @mikehale on X or Warpcast!
Thanks for reading ✌️
I hope you found something useful here! If you have any suggestions or feedback just let me know what you think.
