Hackers compromised the Injective Labs SDK project and published a malicious npm package. The package stole cryptocurrency wallet private keys and mnemonic seed phrases.
Security firms Socket, Ox Security, and StepSecurity detected the supply-chain attack. It affected version 1.20.21 of the @injectivelabs/sdk-ts package.
Injective SDK Malware Reached npm
Injective SDK is a TypeScript and JavaScript development kit. Developers use it to build applications on the Injective blockchain.
The blockchain focuses on decentralized finance, tokenized assets, and decentralized exchanges.
The npm package receives around 50,000 weekly downloads. It is used in cryptocurrency wallets, trading bots, payment tools, and DeFi applications.
Researchers say the attacker compromised a legitimate contributor’s GitHub account. The first suspicious commits appeared on June 8.
Soon afterward, the attacker published the malicious npm release.
Attackers Compromised More Packages
The attacker also published version 1.20.21 for 17 related packages. Each package was pinned to the compromised SDK version.
The legitimate account owner noticed the breach within minutes. They reverted the changes and released a clean version, numbered 1.20.23.
However, developers may have already downloaded or used the malicious packages. Those systems could remain compromised.
Socket says the infected package received 310 downloads before npm deprecated it. The package was not fully removed.
Researchers also found that malicious GitHub release files remained available.
Dependent Packages Increased the Risk
The compromised package has 87 direct dependencies on npm. It may also affect many indirect dependencies.
Ox Security says the 87 dependent packages had more than 112,000 combined downloads.
This widened the potential reach of the attack. Projects that automatically fetched the infected release may also face exposure.
Malware Targeted Wallet Functions
The Injective SDK malware did not activate during installation.
Instead, it waited until developers used functions that created or imported cryptocurrency wallet keys.
At that point, the malware captured the full mnemonic seed phrase and private key. It then encoded the stolen information using base64.
The malware sent the data through an HTTP POST request. It used an Injective Labs public infrastructure endpoint to make the traffic appear legitimate.
StepSecurity found that the malware did not send each secret immediately. Instead, it stored several keys and seed phrases for two seconds.
It then bundled the data into an HTTP request header and transmitted it.
Stolen Keys Could Drain Wallets
Attackers can use stolen seed phrases or private keys to restore wallets on their own devices.
Once restored, they may access the wallets and transfer any available digital assets.
Developers who used version 1.20.21 should assume their wallet secrets may be exposed.
They should move funds to newly created wallets as soon as possible. They should also rotate every secret stored in the affected environment.


0 responses to “Injective SDK Malware Steals Crypto Wallet Keys”