Injective Labs experienced a significant security breach when a trusted software package was infiltrated by attackers, potentially compromising developer wallets. This event underscores the increasing trend of software supply chain attacks targeting developer tools rather than end users.
Details of the Attack on Injective SDK
The attack involved the malicious version of the TypeScript SDK, @injectivelabs/sdk-ts v1.20.21, which was uploaded to npm. This package is utilized for constructing Injective applications, managing wallets, and signing transactions. Attackers gained access to a legitimate Injective Labs contributor's GitHub account, subsequently distributing harmful commits. A test branch was misleadingly named “test-backdoor-check.”
Under the guise of telemetry data collection, this compromised package was made available on npm. Instead of gathering usage statistics, the embedded malware was designed to extract private keys and mnemonic seed phrases from developers, thereby compromising their crypto wallets. The attack further spread to 17 additional Injective packages relying on the SDK through transitive dependencies.
Impact and Recommendations for Developers
Notably, the malicious code did not activate during installation, enabling it to elude detection. Activation only occurred when developers employed specific wallet generation functions, such as fromMnemonic or fromHex. The compromised package saw approximately 50,000 downloads weekly, and 87 other packages were directly dependent on it. In addition, the attackers released 17 more Injective packages tied to this compromised version, amplifying the consequences of the breach.
A clean version of the SDK, v1.20.23, has since been released, yet the compromised version remains on npm as a deprecated package along with its artifacts on GitHub. Developers are strongly advised to rotate all related credentials, generate new wallets, and relocate their funds to prevent further exploits. The breach coincided with recent security issues in the crypto space, emphasizing the need for vigilance.
This article is for informational purposes only and is not financial advice.



