00:00
The Financial Ways
The Financial Ways
USD/RUB
EUR/RUB
Cryptocurrency

Malicious Injective SDK Update Exposes Private Keys

A compromised developer account allowed attackers to inject malicious code into the @injectivelabs/sdk-ts npm package, turning a standard software update into a gateway for harvesting private keys and seed phrases. Security researchers warn that the breach, which spread across 17 related packages, remains a significant threat to affected applications.

Malicious Injective SDK Update Exposes Private Keys

The supply-chain attack began on June 8 when an unauthorized party gained access to a developer’s GitHub account. This breach enabled the release of version 1.20.21 of the SDK, a tool widely used by developers to build wallets and decentralized applications. Once installed, the code intercepted key-generation functions, silently exfiltrating sensitive credentials to a server disguised as an official Injective endpoint. While the malicious version has since been removed, Socket warns that any mnemonic or key processed through the tainted software should be considered compromised.

Injective CEO Eric Chen confirmed that the affected releases were deprecated and the vulnerability patched, asserting that the underlying Injective network remains secure. However, the incident highlights a growing shift in cybercrime tactics: rather than attacking robust blockchain cryptography, adversaries are increasingly targeting the developer ecosystem. By compromising platforms like npm and GitHub, attackers gain a force multiplier that allows one breach to compromise countless downstream applications. This mirrors recent incidents targeting Axios and the broader TrapDoor campaign, underscoring the vulnerability of the software supply chain in the crypto and DeFi sectors.

Share

Comments (0)

Leave a comment

No comments yet. Be the first!