NPM Infected

Overview

A major supply‑chain attack has compromised the Injective Labs SDK project, resulting in a malicious npm package that stole cryptocurrency wallet private keys and mnemonic seed phrases. The incident highlights the growing risks facing developers in the blockchain and DeFi ecosystem.

How the Attack Happened

Hackers gained access to a GitHub account belonging to a legitimate contributor and published a malicious version of the SDK:

  • Malicious package: @injectivelabs/sdk-ts version 1.20.21.
  • Detection: Security firms Socket, Ox Security, and StepSecurity flagged the compromise.
  • Impact: The package has 50,000 weekly downloads and is widely used in cryptocurrency wallets, trading bots, decentralized exchanges, DeFi apps, and payment tools.

The attacker also pinned 17 related packages to the compromised version, amplifying the risk across the ecosystem.

Malware Behavior

The malicious code activates when developers call SDK functions that generate or import wallet keys.

Attack flow:

  1. Capture mnemonic seed phrase & private key.
  2. Encode data in base64.
  3. Exfiltrate via HTTP POST to an Injective Labs public endpoint, disguising traffic as legitimate.
  4. Bundle multiple keys in a two‑second delay before transmission, making detection harder.

This allows attackers to port victim wallets to their own devices, enabling theft of digital assets.

Scope of Exposure

  • The malicious version was downloaded 310 times before being deprecated (but not removed).
  • The SDK has 87 direct npm dependencies, with a cumulative download count of 112,000+.
  • Developer systems that fetched or updated to the compromised version are likely compromised.

Recommended Actions

Developers and organizations should act immediately:

  • Update to clean version — upgrade to 1.20.23 or later.
  • Rotate all secrets — regenerate API keys, mnemonics, and private keys.
  • Transfer cryptocurrency to new wallets if compromise is suspected.
  • Audit dependency trees for pinned malicious versions.
  • Monitor for suspicious traffic to Injective endpoints.

Expert in the Cloud Insight

This incident underscores the fragility of open‑source supply chains in the blockchain space. Attackers exploit trusted developer accounts to inject malware into widely used SDKs, compromising entire ecosystems with minimal effort.

For DeFi and crypto developers, the lesson is clear: dependency hygiene, secret rotation, and continuous monitoring are non‑negotiable. Supply‑chain security is now a frontline defense against wallet theft and financial fraud.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.