Skip to content
Active Currencies: 17,465
Market Cap: $2.276T
Bitcoin Dominance: 56.39%
24h Market Cap Change: $1.26

Injective software package hit by malicious supply chain attack – Details

How did a reliable SDK come to reveal the wallet credentials of developers?

Injective software package maliciously used by hackers

Software supply chain attacks have become more common, with attackers increasingly targeting trusted developer tools instead of end users.

In the latest incident, attackers compromised a trusted Injective Labs software package to steal developers’ wallet credentials.

@injectivelabs:sdk-ts, v1.20.21, to npm
Source: Socket

How did Injective SDK attack unfold?

The attacker uploaded a malicious version of the TypeScript SDK, @injectivelabs/sdk-ts v1.20.21, to npm. The package was designed for building Injective applications, creating wallets, and signing transactions.

The attacker then gained access to a legitimate Injective Labs contributor’s GitHub account and distributed malicious commits. One test branch was named “test-backdoor-check.”

Under the guise of telemetry, the attacker published the compromised package to npm.

Instead of collecting usage data, the malware extracted private keys and mnemonic seed phrases. That gave attackers everything needed to recreate and seize victims’ crypto wallets.

On top of that, the compromise spread through transitive dependencies in 17 additional Injective packages that relied on the SDK.

The loophole that led to the breach

The malicious code remained inactive during installation, helping it evade detection.

Instead, it executed only when developers used the fromMnemonic or fromHex wallet generation functions.

Around 50,000 downloads of the compromised package occurred each week. At least 87 other packages also depended on it directly.

The attacker also released 17 additional Injective packages pinned to the compromised SDK version, expanding the attack’s reach.

@injectivelabs:sdk-ts 50,000 weekly downloads
Source: Socket

What’s more? 

Soon after, a clean version, v1.20.23, was made available. However, the compromised version was still available on npm as a deprecated package, and its release artifacts were still available on GitHub.

Hence, to avoid further such incidents, users should rotate all impacted credentials, create new wallets, and move their money.

This coincided with BonkDAO losing $20 million because of a “malicious governance proposal” making them the most recent victim of a crypto hack.


Final Summary

  • The wrongdoer gained access to a legitimate Injective Labs contributor’s GitHub account and used it to distribute malicious commits.
  • Developers were made vulnerable by the attack because of transitive dependencies in 17 additional injective packages. 
Disclaimer: AMBCrypto's content is meant to be informational in nature and should not be interpreted as investment advice. Trading, buying or selling cryptocurrencies should be considered a high-risk investment and every reader is advised to do their own research before making any decisions.

Ishika Kumari

Journalist

Ishika Kumari is a Crypto Analyst at AMBCrypto, specializing in regulatory developments, market dynamics, and blockchain’s real-world impact. She breaks down complex protocols and legislation into practical, easy-to-understand insights.

AMBCrypto was founded in 2018 with a mission to simplify and bring the latest blockchain and cryptocurrency news to our readers. We have quickly grown into the digital news source for an emerging generation of cryptocurrency enthusiasts, reaching more than a million readers on a monthly basis, across the globe.