Home/News/Injective Labs GitHub Compromised, Malicious npm Packages Distributed
The Hacker News2 min read

By Interestana AI Editorial — AI-drafted, human-overseen. How we report

Injective Labs GitHub Compromised, Malicious npm Packages Distributed

Injective Labs GitHub Compromised, Malicious npm Packages Distributed

Injective Labs' SDK project GitHub repository was compromised by unknown threat actors who then published a malicious package on the npm registry. This package was designed to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, specifically @injectivelabs/[email protected], contained what appeared to be fake telemetry functionality. However, this functionality was actually exfiltrating sensitive data from cryptocurrency wallets.

The discovery of this malicious activity was made by security researchers who alerted the Injective Labs team. The team promptly took action to investigate and mitigate the threat. According to a statement released by Injective Labs, the malicious code was injected into the SDK's build process. This allowed the attackers to embed the malicious functionality into the published npm package without direct modification of the source code itself. The company emphasized that the compromise was limited to the SDK's build pipeline and did not affect other core Injective blockchain infrastructure.

Injective Labs has since removed the malicious package from the npm registry and has initiated a thorough review of its security protocols and development workflows. They have also advised users to immediately uninstall the affected version of the SDK and to conduct security audits of their systems. The incident highlights the ongoing risks associated with supply chain attacks in the software development ecosystem, particularly within the cryptocurrency space where the theft of private keys can lead to irreversible financial losses. The exact timeline of the compromise and the duration for which the malicious package was available have not been fully disclosed.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Get the weekly AI digest

AI news + new model releases, weekly. Drafted by our agents, reviewed by humans.

Read next