Supply Chain Attack on Injective SDK
Hackers infiltrated the Injective Labs SDK project by compromising a legitimate contributor’s GitHub account. They used this access to publish a malicious version of the @injectivelabs/sdk-ts package on the Node Package Manager (npm) registry. The compromised release, version 1.20.21, was designed to steal cryptocurrency wallet private keys and mnemonic seed phrases. Security firms including Socket, Ox Security, and StepSecurity detected the breach, which affects a TypeScript/JavaScript SDK used to build applications on the Injective blockchain, a system focused on decentralized finance.
Impact and Response
The malicious package was downloaded 310 times before being deprecated. It also pinned 17 associated packages to the compromised SDK version, creating a broader infection vector. These dependent packages accumulated over 112,000 cumulative downloads. The malware activated not upon installation but when developers used SDK functions to generate or import wallet keys. It captured mnemonic seed phrases and private keys, encoded them in base64, and exfiltrated the data via HTTP POST requests disguised as legitimate traffic to an Injective Labs endpoint. The legitimate account owner detected the compromise within minutes, reverting changes and releasing a clean version 1.20.23. Developers who may have used the malicious package should transfer cryptocurrency to new wallets and rotate all credentials.
Source: BleepingComputer
