Injective SDK turned into skeleton keys: npm package siphoned dev wallets 🗝️
Back to feed

Injective SDK turned into skeleton keys: npm package siphoned dev wallets 🗝️

Attackers compromised a trusted Injective Labs software package and used it to steal developers' wallet credentials, publishing a malicious version of the TypeScript SDK, @injectivelabs/sdk-ts v1.20.21, to npm. The package is used for building Injective applications, creating wallets and signing transactions. The attacker gained access to a legitimate Injective Labs contributor's GitHub account and distributed malicious commits, including a test branch named "test-backdoor-check."

Posing as a telemetry update, the malicious release extracted private keys and mnemonic seed phrases instead of usage data, giving attackers everything needed to recreate and seize victims' crypto wallets. The malware stayed dormant during installation to evade detection and only executed when developers called the fromMnemonic or fromHex wallet generation functions. Around 50,000 downloads of the compromised package occurred each week, and at least 87 other packages depended on it directly.

The blast radius widened through transitive dependencies in 17 additional Injective packages that relied on the SDK, and the attacker also released 17 further Injective packages pinned to the compromised SDK version. A clean release, v1.20.23, was published soon after, though the compromised version remained available on npm as a deprecated package and its release artifacts were still present on GitHub. Developers using the affected SDK are advised to rotate impacted credentials, generate new wallets and move funds off addresses derived with the compromised version.

The incident landed in the same week that BonkDAO reported losing $20 million to a "malicious governance proposal," making it the most recent high-profile crypto hack tied to compromised developer infrastructure.

Mentioned Coins

$INJ
Share:
Publishercryptonewsroom.xyz
Published
CategorySecurity

Disclaimer: This content is for information and entertainment purposes only. It does not constitute financial, investment, legal, or tax advice. Always do your own research and consult with qualified professionals before making any financial decisions.

See our Terms of Service, Privacy Policy, and Editorial Policy.