Key facts
- A supply chain attack targeted the @injectivelabs/sdk-ts npm package, downloaded over 300 times.
- The malware was designed to steal crypto wallet private keys and seed phrases.
- The compromise occurred through a developer's infiltrated GitHub account.
- The malicious code has been removed, and affected versions are deprecated.
- Injective CEO stated no funds on the network are at risk.
Hackers attempted a supply chain attack by compromising a widely used Injective npm package, aiming to steal crypto wallet private keys and seed phrases. Security firm Socket discovered that version 1.20.21 of the @injectivelabs/sdk-ts package, downloaded over 300 times, was modified through a compromised developer GitHub account. The malicious code hooked into wallet key-derivation functions, secretly copying sensitive information and exfiltrating it to a fake server. Injective CEO Eric Chen confirmed the issue has been fixed, affected versions deprecated, and stated that no funds on the network are at risk. This incident highlights the growing threat of software supply chain attacks, where attackers exploit trusted developer tools to deliver malicious payloads.