Malicious npm Package Steals Crypto Keys via Compromised GitHub Repo
Threat actors breached Injective Labs' GitHub repo to push a malicious npm package designed to steal cryptocurrency wallet credentials. The compromised SDK package伪装成 legitimate telemetry but secretly exfiltrated sensitive user data.
TL;DR
- Attackers compromised Injective Labs' GitHub repository
- Published malicious npm package @injectivelabs/sdk-ts@1.20.21
- Package contained hidden telemetry that stole wallet private keys
- Targets included MetaMask and other popular crypto wallets
- Organizations should audit third-party dependencies immediately
Security researchers have discovered that unknown threat actors successfully compromised the official GitHub repository of Injective Labs SDK project. The attackers used this access to publish a malicious version of the npm package that actively steals cryptocurrency wallet credentials from unsuspecting developers and users.
The compromised package, identified as @injectivelabs/sdk-ts@1.20.21, was published to the public npm registry and remained undetected for a period of time. This version appeared legitimate to most users but contained hidden functionality designed to extract sensitive cryptographic material from connected wallets.
Attack Vector and Impact
- Threat actors gained unauthorized access to Injective Labs' GitHub repository
- Malicious code was embedded within what appeared to be normal telemetry functionality
- The package specifically targeted private keys and mnemonic seed phrases from crypto wallets
- Affected wallets include popular platforms like MetaMask, Trust Wallet, and others
- Data exfiltration occurred silently without user knowledge or consent
Detection and Response
- Security teams identified the compromise through anomalous network activity patterns
- The malicious package version has been removed from npm registry
- Injective Labs has rotated all repository access tokens and implemented additional security controls
- Users are advised to revoke and regenerate wallet keys if they used the compromised package
- Organizations should conduct immediate audits of their dependency trees for similar threats
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.