Injective said the security vulnerability was patched up immediately and claims there were no downloads of the malicious package.
Hackers compromised a widely used Injective software package in a supply chain attack with malware in an attempt to steal crypto wallet private keys.
Security firm Socket discovered on Thursday that a popular NPM (node package manager) with around 50,000 weekly downloads used for building on the Injective blockchain was maliciously modified to steal wallet private keys and seed phrases.
Socket reported that the malware had been downloaded more than 300 times, and “the campaign itself isn’t yet fully contained, despite the developer whose account was infiltrated quickly detected the compromise.
Injective said Friday the "issue was identified and resolved immediately" and that "there were zero downloads of the malicious package."
The software supply chain attack is a relatively new attack vector in which hackers don’t target a blockchain’s cryptography or smart contracts directly, but instead compromise trusted developer tools used to build wallets, exchanges and apps.
Injective is an interoperable layer 1 designed for DeFi applications. Its usage has dwindled over the past two years, with total value locked shrinking by 88% to current levels of $8.2 million from its $71 million peak in mid-2024, according to DefiLlama.
Version 1.20.21 of the @injectivelabs/sdk-ts NPM package was modified through a compromised developer GitHub account, with suspicious commits beginning June 8. It was also pinned across 17 other packages in the Injective Labs NPM scope, “exposing users who may not have installed the SDK [software development kit] directly,” Socket said.
“The malicious release hooks wallet key-derivation functions, records private keys and mnemonics, and exfiltrates them through fake telemetry,” Socket explained.
The malicious code hooked into normal functions used to generate wallet keys, and whenever a developer’s app used these functions, it secretly copied the seed phrase or private key. The compromised data was then encoded and sent to a web address that looked like a legitimate Injective network server.
“Any keys or mnemonics passed through affected packages should be treated as compromised,” Socket added.
Related: ‘TrapDoor’ malware targets crypto dev tools in supply chain attack
Source
This article is syndicated for educational reading. For the latest updates, visit the original publisher.
Read on cointelegraph.com