Supply chain

Injective Labs SDK npm package compromised to steal cryptocurrency keys

Bleeping Computer reports that hackers compromised the Injective Labs SDK project's GitHub repository and used it to publish a malicious package on npm that stole cryptocurrency wallet private keys and mnemonic seed phrases.

The supply-chain attack was detected by application security companies Socket, Ox Security, and StepSecurity via version 1.20.21 of the @injectivelabs/sdk-ts npm package, which has 50,000 weekly downloads. The attacker compromised a legitimate contributor's GitHub account and published the malicious version, affecting 17 other associated packages. Although the legitimate owner quickly reverted the changes, systems fetching the compromised packages were likely affected. The malware activates when developers use SDK functions to generate or import wallet keys, capturing the full mnemonic seed phrase and private key. This data is exfiltrated via an HTTP POST request to an Injective Labs public infrastructure endpoint.

The malicious version was downloaded 310 times before being deprecated. The 87 direct dependencies of the package had a cumulative download count of over 112,000, indicating a wide potential impact on developers building cryptocurrency wallets, trading bots, decentralized exchanges, and DeFi applications.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds