TECHNOLOGY

Injective npm Package Hit by Wallet Stealer

Image credit: Unsplash

Hackers compromised a widely used Injective software package on npm and pushed malicious code designed to steal crypto wallet private keys and recovery phrases.

The attack targeted developers building on Injective, not the Injective blockchain itself. Injective CEO Eric Chen said the issue has been fixed and affected npm versions have been deprecated.

Version 1.20.21 Targeted SDK Users

Security firm Socket said the compromised package was @injectivelabs/sdk-ts version 1.20.21. The package is a TypeScript and JavaScript SDK used by developers building wallets, trading tools, DeFi apps and other services on Injective. It has about 50,000 weekly downloads and 87 npm dependents.

Attackers used access to a trusted developer account to publish the malicious SDK release. They also pinned version 1.20.21 across 17 other Injective-scoped packages, expanding the risk to projects that did not install the SDK directly.

Malware Copied Keys During Wallet Actions

The malware did not simply run at installation. Researchers said it activated when applications used wallet functions that generate or import keys. At that point, the code recorded mnemonic seed phrases and private keys.

The stolen data was encoded and sent through fake telemetry to an endpoint made to look like Injective public infrastructure.

StepSecurity said the malware also queued wallet secrets briefly before sending them together in an HTTP request header. That design meant applications could appear to work normally while exposing wallet credentials processed through the compromised package.

Clean Version Followed 310 Downloads

The compromised release was detected quickly by security researchers and the legitimate account owner. A clean version, 1.20.23, was later published. BleepingComputer reported that the malicious version was downloaded 310 times before it was deprecated.

OX Security said the affected package set reached 18 packages and 87 downstream dependents. The public disclosures did not report any confirmed fund loss. Socket still warned that any private keys or mnemonics passed through affected versions should be treated as compromised.

Developers Told to Upgrade and Rotate Wallets

The immediate fix is to upgrade away from version 1.20.21 and review dependency trees for pinned Injective packages.

Projects that generated or imported wallets through the affected packages should move funds to newly created wallets and rotate other secrets in the development environment.

Developers using affected versions should upgrade, inspect dependency trees and rotate any wallets or secrets exposed to the compromised package.

More For You

Explore More News