The Injective SDK's npm package was compromised, resulting in a malicious version that stole private keys and seed phrases from users' cryptocurrency wallets. This attack affects developers relying on the SDK for decentralized finance applications and highlights vulnerabilities in the software supply chain.
Hackers took control of the Injective Labs SDK project on GitHub and published a malicious version of the package on npm, specifically targeting cryptocurrency wallets.
The malicious version, 1.20.21 of @injectivelabs/sdk-ts, stole private keys and mnemonic seed phrases from users.
The SDK is used by developers for creating applications in decentralized finance (DeFi) and has around 50,000 weekly downloads.
As many as 87 direct dependencies and potentially more transitive dependencies could expose a larger number of users to compromised software.
The malware triggers when developers call specific SDK functions to generate or import wallet keys, not at installation, allowing it to capture sensitive data.
Captured data is encoded in base64 and sent to an endpoint set up by the attackers, camouflaging the exfiltration process.
The legitimate account owner of the GitHub repository reverted the malicious changes within minutes and published a clean version, 1.20.23.
However, 310 downloads of the compromised version could have exposed several developers and their applications to wallet theft.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
The Injective SDK's npm package was compromised, resulting in a malicious version that stole private keys and seed phrases from users' cryptocurrency wallets. This attack affects developers relying on the SDK for decentralized finance applications and highlights vulnerabilities in the software supply chain.