Software supply chain attacks have become more common, with attackers increasingly targeting trusted developer tools instead of end users. In the latest incident, malicious code was uploaded to a trusted Injective Labs software package on npm, designed to steal developers’ wallet credentials by extracting private keys and mnemonic seed phrases. The attacker compromised a legitimate contributor’s GitHub account and distributed the malware through a test branch. With approximately 50,000 weekly downloads of the compromised package and 17 additional Injective packages affected through transitive dependencies, the attack exposed a significant vulnerability in the crypto development supply chain.
Attackers compromised a trusted Injective Labs software package to steal developers’ wallet credentials. A malicious version of the TypeScript SDK, @injectivelabs/sdk-ts v1.20.21, was uploaded to npm.
The package was designed for building Injective applications, creating wallets, and signing transactions. The attacker gained access to a legitimate Injective Labs contributor’s GitHub account and distributed malicious commits, with one test branch named “test-backdoor-check.”
Under the guise of telemetry, the attacker published the compromised package to npm. Instead of collecting usage data, the malware extracted private keys and mnemonic seed phrases, giving attackers everything needed to recreate and seize victims’ crypto wallets.
The compromise spread through transitive dependencies in 17 additional Injective packages that relied on the SDK. The malicious code remained inactive during installation, helping it evade detection, and executed only when developers used the fromMnemonic or fromHex wallet generation functions.
Approximately 50,000 downloads of the compromised package occurred each week. At least 87 other packages also depended on it directly.
The attacker also released 17 additional Injective packages pinned to the compromised SDK version, expanding the attack’s reach. Soon after, a clean version, v1.20.23, was made available. However, the compromised version was still available on npm as a deprecated package, and its release artifacts were still available on GitHub.
Users should rotate all impacted credentials, create new wallets, and move their money to avoid further incidents. This incident coincided with BonkDAO losing $20 million because of a “malicious governance proposal,” making them the most recent victim of a crypto hack.
