Injective has reassured users that their funds were never at risk following an incident involving malicious code introduced into its npm packages. The attack, which occurred when two code changes were pushed directly to the main branch, affected 18 of the company's official npm developer packages.

Security firm Socket highlighted that the malicious code was embedded in version 1.20.21 of the @injectivelabs/sdk-ts TypeScript SDK. This SDK is commonly used by developers for creating wallets, exchange front ends, and trading bots on the Injective platform. It was reported that attackers masqueraded as a trusted developer, which facilitated the unauthorized code insertion without undergoing the usual code review or pull request process.

Details of the Attack

The harmful code included a function named trackKeyDerivation(), which deceptively claimed to optimize user data collection. In fact, it was designed to capture private keys and seed phrases transmitted through the SDK and relay this sensitive information to a remote server. This server's address was masked to resemble an official Injective domain to evade detection.

Despite the vulnerability, Injective's CEO Eric Chen stated that the issue was resolved within one hour. A clean version of the SDK, labeled as 1.20.23, was quickly made available to replace the compromised version. Although the tainted package was only active for a brief period, it was downloaded over 300 times before being removed. The incident prompted security advisories from experts warning that users who interacted with the infected packages should regard their keys as potentially compromised.

In light of this event, developers utilizing related tools from Injective should remain vigilant. Ongoing security measures are critical in preventing future attacks.This material is for informational purposes only and does not constitute financial advice.