Hackers compromised the Injective Labs SDK GitHub repository and used it to publish a malicious npm package that stole cryptocurrency wallet private keys and mnemonic seed phrases. The supply-chain attack affected @injectivelabs/sdk-ts and related packages, putting developers and users of Injective blockchain tools at risk. #InjectiveLabs #InjectiveSDK #npm
Keypoints
- Attackers breached a legitimate contributorβs GitHub account.
- They published malicious version 1.20.21 of @injectivelabs/sdk-ts on npm.
- The malware stole wallet private keys and mnemonic seed phrases during SDK use.
- Related packages were also pinned to the compromised SDK version.
- The malicious package was downloaded before being deprecated, and clean version 1.20.23 was released.