Cryptocurrency wallet theft via compromised npm SDK package

Attackers compromised a GitHub contributor account to inject malware that steals cryptographic credentials from developers building on the Injective blockchain.

CSBadmin
2 Min Read

Supply Chain Attack on Injective SDK

Hackers infiltrated the Injective Labs SDK project by compromising a legitimate contributor’s GitHub account. They used this access to publish a malicious version of the @injectivelabs/sdk-ts package on the Node Package Manager (npm) registry. The compromised release, version 1.20.21, was designed to steal cryptocurrency wallet private keys and mnemonic seed phrases. Security firms including Socket, Ox Security, and StepSecurity detected the breach, which affects a TypeScript/JavaScript SDK used to build applications on the Injective blockchain, a system focused on decentralized finance.

Impact and Response

The malicious package was downloaded 310 times before being deprecated. It also pinned 17 associated packages to the compromised SDK version, creating a broader infection vector. These dependent packages accumulated over 112,000 cumulative downloads. The malware activated not upon installation but when developers used SDK functions to generate or import wallet keys. It captured mnemonic seed phrases and private keys, encoded them in base64, and exfiltrated the data via HTTP POST requests disguised as legitimate traffic to an Injective Labs endpoint. The legitimate account owner detected the compromise within minutes, reverting changes and releasing a clean version 1.20.23. Developers who may have used the malicious package should transfer cryptocurrency to new wallets and rotate all credentials.

Source: BleepingComputer

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.