← Back to blog

Malicious npm Package Steals Crypto Keys via Compromised GitHub Repo

Threat actors breached Injective Labs' GitHub repo to push a malicious npm package designed to steal cryptocurrency wallet credentials. The compromised SDK package伪装成 legitimate telemetry but secretly exfiltrated sensitive user data.

TL;DR

  • Attackers compromised Injective Labs' GitHub repository
  • Published malicious npm package @injectivelabs/sdk-ts@1.20.21
  • Package contained hidden telemetry that stole wallet private keys
  • Targets included MetaMask and other popular crypto wallets
  • Organizations should audit third-party dependencies immediately

Security researchers have discovered that unknown threat actors successfully compromised the official GitHub repository of Injective Labs SDK project. The attackers used this access to publish a malicious version of the npm package that actively steals cryptocurrency wallet credentials from unsuspecting developers and users.

The compromised package, identified as @injectivelabs/sdk-ts@1.20.21, was published to the public npm registry and remained undetected for a period of time. This version appeared legitimate to most users but contained hidden functionality designed to extract sensitive cryptographic material from connected wallets.

Attack Vector and Impact

  • Threat actors gained unauthorized access to Injective Labs' GitHub repository
  • Malicious code was embedded within what appeared to be normal telemetry functionality
  • The package specifically targeted private keys and mnemonic seed phrases from crypto wallets
  • Affected wallets include popular platforms like MetaMask, Trust Wallet, and others
  • Data exfiltration occurred silently without user knowledge or consent

Detection and Response

  • Security teams identified the compromise through anomalous network activity patterns
  • The malicious package version has been removed from npm registry
  • Injective Labs has rotated all repository access tokens and implemented additional security controls
  • Users are advised to revoke and regenerate wallet keys if they used the compromised package
  • Organizations should conduct immediate audits of their dependency trees for similar threats

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Malicious npm Package Steals Crypto Keys via Compromised GitHub Repo — Agent Breach Blog | Agent Breach