Bleeping Computer reports that hackers compromised the Injective Labs SDK project's GitHub repository and used it to publish a malicious package on npm that stole cryptocurrency wallet private keys and mnemonic seed phrases.The supply-chain attack was detected by application security companies Socket, Ox Security, and StepSecurity via version 1.20.21 of the @injectivelabs/sdk-ts npm package, which has 50,000 weekly downloads. The attacker compromised a legitimate contributor's GitHub account and published the malicious version, affecting 17 other associated packages. Although the legitimate owner quickly reverted the changes, systems fetching the compromised packages were likely affected. The malware activates when developers use SDK functions to generate or import wallet keys, capturing the full mnemonic seed phrase and private key. This data is exfiltrated via an HTTP POST request to an Injective Labs public infrastructure endpoint.The malicious version was downloaded 310 times before being deprecated. The 87 direct dependencies of the package had a cumulative download count of over 112,000, indicating a wide potential impact on developers building cryptocurrency wallets, trading bots, decentralized exchanges, and DeFi applications.Source: Bleeping Computer
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




