Skip to content
Tech News
← Back to articles

Injective SDK on npm infected with cryptocurrency wallet stealer

read original more articles

Hackers compromised the Injective Labs SDK project's GitHub repository and used it to publish a malicious package on the Node Package Manager (npm) that stole cryptocurrency wallet private keys and mnemonic seed phrases.

Application security companies Socket, Ox Security, and StepSecurity detected the supply-chain attack via version 1.20.21 of the @injectivelabs/sdk-ts npm package.

Injective SDK is a TypeScript/JavaScript software development kit (SDK) for building applications on the Injective blockchain, a Layer-1 blockchain focused on decentralized finance (DeFi), tokenized assets, and decentralized exchanges.

The package has 50,000 weekly downloads on npm and is used by developers building cryptocurrency wallets, trading bots, decentralized exchanges, DeFi applications, and payment tools.

According to the researchers, the attacker compromised a GitHub account belonging to a legitimate project contributor and made the first suspicious commits on June 8, publishing the malicious version of the package shortly afterward.

The attacker also published version 1.20.21 for another 17 packages associated with the project, pinning all of them to the compromised SDK version.

The legitimate account owner detected the compromise within minutes, reverted the changes, and published a clean release, version 1.20.23.

However, developer systems fetching the malicious packages via an update or used them were likely compromised.

Socket says the malicious version of the package was downloaded 310 times before it was deprecated, not removed, and the malicious GitHub release artifacts are still available.

The researchers also note that the package has 87 direct dependencies on npm and very likely multiple additional transitive dependencies.

... continue reading