← All stories
● Covered by 1 source Β· 1 reportHigh impact

Injective SDK on npm compromised, malicious package steals crypto wallet credentials

Aggregated by BrevFeed security Β· updated 1h ago
πŸ”– Save

The Injective SDK's npm package was compromised, resulting in a malicious version that stole private keys and seed phrases from users' cryptocurrency wallets. This attack affects developers relying on the SDK for decentralized finance applications and highlights vulnerabilities in the software supply chain.

Key points

Compromise of Injective SDK

Hackers took control of the Injective Labs SDK project on GitHub and published a malicious version of the package on npm, specifically targeting cryptocurrency wallets.

The malicious version, 1.20.21 of @injectivelabs/sdk-ts, stole private keys and mnemonic seed phrases from users.

Scope of the Attack

The SDK is used by developers for creating applications in decentralized finance (DeFi) and has around 50,000 weekly downloads.

As many as 87 direct dependencies and potentially more transitive dependencies could expose a larger number of users to compromised software.

Malware Activation and Data Exfiltration

The malware triggers when developers call specific SDK functions to generate or import wallet keys, not at installation, allowing it to capture sensitive data.

Captured data is encoded in base64 and sent to an endpoint set up by the attackers, camouflaging the exfiltration process.

Incident Response and Impact

The legitimate account owner of the GitHub repository reverted the malicious changes within minutes and published a clean version, 1.20.23.

However, 310 downloads of the compromised version could have exposed several developers and their applications to wallet theft.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Reporting from

The Injective SDK's npm package was compromised, resulting in a malicious version that stole private keys and seed phrases from users' cryptocurrency wallets. This attack affects developers relying on the SDK for decentralized finance applications and highlights vulnerabilities in the software supply chain.