Injective software package hit by malicious supply chain attack – Details

Ledger
Blockonomics


Software supply chain attacks have become more common, with attackers increasingly targeting trusted developer tools instead of end users.

In the latest incident, attackers compromised a trusted Injective Labs software package to steal developers’ wallet credentials.

@injectivelabs:sdk-ts, v1.20.21, to npm@injectivelabs:sdk-ts, v1.20.21, to npm
Source: Socket

How did Injective SDK attack unfold?

The attacker uploaded a malicious version of the TypeScript SDK, @injectivelabs/sdk-ts v1.20.21, to npm. The package was designed for building Injective applications, creating wallets, and signing transactions.

The attacker then gained access to a legitimate Injective Labs contributor’s GitHub account and distributed malicious commits. One test branch was named “test-backdoor-check.”

okex

Under the guise of telemetry, the attacker published the compromised package to npm.

Instead of collecting usage data, the malware extracted private keys and mnemonic seed phrases. That gave attackers everything needed to recreate and seize victims’ crypto wallets.

On top of that, the compromise spread through transitive dependencies in 17 additional Injective packages that relied on the SDK.

The loophole that led to the breach

The malicious code remained inactive during installation, helping it evade detection.

Instead, it executed only when developers used the fromMnemonic or fromHex wallet generation functions.

Around 50,000 downloads of the compromised package occurred each week. At least 87 other packages also depended on it directly.

The attacker also released 17 additional Injective packages pinned to the compromised SDK version, expanding the attack’s reach.

@injectivelabs:sdk-ts 50,000 weekly downloads@injectivelabs:sdk-ts 50,000 weekly downloads
Source: Socket

What’s more? 

Soon after, a clean version, v1.20.23, was made available. However, the compromised version was still available on npm as a deprecated package, and its release artifacts were still available on GitHub.

Hence, to avoid further such incidents, users should rotate all impacted credentials, create new wallets, and move their money.

This coincided with BonkDAO losing $20 million because of a “malicious governance proposal” making them the most recent victim of a crypto hack.


Final Summary

  • The wrongdoer gained access to a legitimate Injective Labs contributor’s GitHub account and used it to distribute malicious commits.
  • Developers were made vulnerable by the attack because of transitive dependencies in 17 additional injective packages. 



Source link

Coinbase

Be the first to comment

Leave a Reply

Your email address will not be published.


*