Skip to content

Injective SDK on npm Infected with Cryptocurrency Wallet Stealer via Supply-Chain Attack

Hackers compromised the Injective Labs SDK project’s GitHub repository and used it to publish a malicious package on the Node Package Manager (npm) that stole cryptocurrency wallet private keys and mnemonic seed phrases. Application security companies Socket, Ox Security, and StepSecurity detected the supply-chain attack via version 1.20.21 of the @injectivelabs/sdk-ts npm package.

The Injective SDK is a TypeScript/JavaScript software development kit (SDK) for building applications on the Injective blockchain, a Layer-1 blockchain focused on decentralized finance (DeFi), tokenized assets, and decentralized exchanges. The package has 50,000 weekly downloads on npm and is used by developers building cryptocurrency wallets, trading bots, decentralized exchanges, DeFi applications, and payment tools.

According to the researchers, the attacker compromised a GitHub account belonging to a legitimate project contributor and made the first suspicious commits on June 8, publishing the malicious version of the package shortly afterward. The attacker also published version 1.20.21 for another 17 packages associated with the project, pinning all of them to the compromised SDK version.

The legitimate account owner detected the compromise within minutes, reverted the changes, and published a clean release, version 1.20.23. However, developer systems fetching the malicious packages via an update or used them were likely compromised. Socket says the malicious version of the package was downloaded 310 times before it was deprecated, not removed, and the malicious GitHub release artifacts are still available.

The malware activates when the developers use SDK functions that generate or import wallet keys, rather than upon installation. Once those functions are called, the malware captures the full mnemonic seed phrase and private key and encodes the data in base64. All the information is exfiltrated via an HTTP POST request to an Injective Labs public infrastructure endpoint to make the traffic appear legitimate.

StepSecurity reports that the malware did not immediately transmit stolen secrets, but instead queued multiple keys and mnemonics for two seconds, bundled them in the HTTP request header, and sent them. The attackers may then use the mnemonic or private key to port the victim’s wallets to their own devices and access, use, or transfer their digital assets.

Developers who suspect compromise should transfer their cryptocurrency to new wallets and rotate all secrets in their environment.

Supply-Chain Attack Details

* 310 downloads of the malicious package before it was deprecated

* 50,000 weekly downloads on npm for the Injective SDK

* 87 direct dependencies on npm for the package

* Cumulative download count of over 112,000 for dependent packages

Security Implications

The malware’s ability to capture and exfiltrate sensitive information highlights the importance of secure software development practices. Developers should be cautious when using third-party libraries and regularly review their dependencies for potential security risks.

Conclusion

The Injective SDK supply-chain attack serves as a reminder of the need for vigilance in the face of increasingly sophisticated cyber threats. By staying informed and taking proactive measures to protect against supply-chain attacks, developers can minimize the risk of compromise and ensure the security of their applications and users.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *