Listen to this Post
Introduction: A New Warning Sign for the Cryptocurrency Development Ecosystem
The cryptocurrency industry has once again become the target of a sophisticated software supply-chain attack, highlighting how attackers are shifting their focus from directly attacking users to compromising the tools developers trust. In this incident, hackers infiltrated the GitHub repository of the Injective Labs SDK project and used the access to distribute a malicious npm package designed to steal cryptocurrency wallet credentials.
The attack demonstrates a growing threat pattern across modern software ecosystems: compromising legitimate open-source projects and turning them into delivery channels for malware. Instead of creating suspicious packages from scratch, attackers increasingly abuse trusted libraries with thousands of users, making malicious code harder to detect.
The compromised package, part of the Injective Labs TypeScript/JavaScript SDK ecosystem, was downloaded hundreds of times before security researchers discovered the campaign. The malware specifically targeted wallet private keys and mnemonic seed phrases, which represent complete control over cryptocurrency assets.
Hackers Hijack Injective Labs SDK and Distribute Cryptocurrency-Stealing Malware
Security researchers from Socket, Ox Security, and StepSecurity uncovered a serious supply-chain compromise affecting the npm package ecosystem.
The attackers gained unauthorized access to a legitimate contributor’s GitHub account connected to the Injective Labs SDK project. After taking control of the account, they introduced malicious code into the project and published a compromised version of the package under the name:
@injectivelabs/sdk-ts version 1.20.21
The Injective SDK is widely used by developers building applications on the Injective blockchain, a Layer-1 blockchain designed around decentralized finance (DeFi), tokenized assets, decentralized exchanges, and blockchain-based financial applications.
Because the SDK is integrated into many cryptocurrency-related projects, including wallets, trading platforms, automated bots, and payment solutions, the compromise created a serious risk for developers and potentially their users.
A Trusted Package Turned Into a Malware Distribution Channel
The attack was particularly dangerous because the malicious package appeared to come from a legitimate source.
Unlike traditional malware campaigns where attackers distribute unknown files or suspicious applications, supply-chain attacks exploit trust. Developers naturally assume that popular open-source libraries from official repositories are safe.
The Injective SDK package had approximately 50,000 weekly downloads on npm, meaning even a short-lived malicious release had the potential to reach thousands of development environments.
Researchers found that the attacker published not only the compromised SDK version but also modified 17 additional packages connected to the Injective ecosystem. These packages were linked to the compromised SDK version, increasing the attack surface.
The attacker’s activity began around June 8, when suspicious commits appeared in the repository. Shortly afterward, the malicious npm releases became available.
Fast Response Prevented a Larger Disaster, but Damage Was Already Possible
The legitimate owner of the compromised GitHub account detected the unauthorized activity within minutes and immediately started recovery actions.
The malicious changes were reverted, and a clean version of the package, version 1.20.23, was released.
However, removing the malicious code did not completely eliminate the danger.
Security researchers discovered that the compromised package had already been downloaded approximately 310 times before being deprecated. The package was marked as unsafe but was not fully removed from npm, and malicious GitHub release artifacts remained available.
This means developers who installed the affected version may still have compromised systems, stolen credentials, or exposed cryptocurrency wallets.
How the Malware Stole Cryptocurrency Wallet Secrets
The Attack Did Not Activate Immediately
One of the most concerning aspects of this malware was its stealthy behavior.
The malicious code did not automatically execute when developers installed the npm package. Instead, it waited until specific SDK functions were used.
The malware activated when developers performed wallet-related operations, such as:
Generating cryptocurrency wallet keys
Importing existing wallets
Managing mnemonic recovery phrases
This approach reduced the chance of immediate detection because normal security scanning might not trigger suspicious behavior during installation.
Private Keys and Seed Phrases Were Sent to Attackers
Once activated, the malware searched for sensitive wallet information.
It captured:
Cryptocurrency private keys
Mnemonic seed phrases
Wallet authentication data
The stolen information was then encoded using Base64 and transmitted through an HTTP POST request.
Researchers noted that the malware sent the stolen information to an Injective Labs public infrastructure endpoint. This was likely designed to make the communication appear legitimate and avoid raising security alarms.
StepSecurity researchers discovered that the malware collected multiple stolen secrets, waited approximately two seconds, bundled the information, and transmitted it through HTTP request headers.
This technique shows a deliberate attempt to hide malicious traffic inside normal-looking network communication.
Why Cryptocurrency Wallet Developers Are Becoming Prime Targets
Cryptocurrency developers represent an attractive target because a single compromised development environment can provide access to valuable digital assets.
Unlike traditional accounts protected by password resets or banking regulations, cryptocurrency wallets rely heavily on private keys and recovery phrases.
If attackers obtain a seed phrase:
They can recreate the wallet.
They can move assets without permission.
Transactions usually cannot be reversed.
Victims may lose funds permanently.
This makes software supply-chain attacks especially dangerous in blockchain ecosystems.
A single compromised dependency can potentially affect thousands of applications and millions of users.
The Hidden Risk of Dependency Chains in Modern Software
The Injective SDK incident also highlights another major problem: dependency complexity.
According to researchers, the compromised package had approximately 87 direct npm dependencies.
Those dependencies themselves had additional dependencies, creating a much larger network of affected software.
Ox Security reported that the connected dependency ecosystem represented more than 112,000 cumulative downloads.
This demonstrates why modern software security cannot focus only on the main package. Attackers increasingly target the weakest link somewhere inside the dependency chain.
Developers Must Assume Open Source Can Be Compromised
Open-source software has become the foundation of modern technology, but popularity does not guarantee security.
Attackers are increasingly targeting:
npm packages
GitHub repositories
Developer accounts
CI/CD pipelines
Software build systems
The Injective incident follows a broader trend where criminals attack developers rather than end users.
By compromising developers, attackers gain access to trusted software distribution channels.
Recommended Actions for Developers and Security Teams
Developers who installed or used the compromised Injective SDK version should immediately take security precautions.
Recommended steps include:
Move cryptocurrency assets to new wallets.
Replace potentially exposed private keys.
Generate new mnemonic phrases.
Rotate API keys and authentication secrets.
Review developer machines for suspicious activity.
Check CI/CD pipelines for unauthorized modifications.
Audit installed npm packages.
Organizations should also strengthen supply-chain defenses through:
Dependency monitoring
Package integrity verification
Automated security scanning
Multi-factor authentication for developer accounts
GitHub security controls
Software composition analysis tools
What Undercode Say:
The Injective SDK compromise represents a clear evolution in modern cyberattacks.
Attackers no longer need to break directly into cryptocurrency exchanges or wallets.
They can simply attack the software developers who create the tools behind those systems.
The most dangerous part of this incident is not only the stolen wallet keys but the method used to obtain them.
The attackers understood that developers trust official repositories.
They understood that popular npm packages are automatically updated across thousands of projects.
They understood that cryptocurrency applications depend heavily on third-party libraries.
This makes supply-chain attacks extremely powerful.
The cryptocurrency industry has invested heavily in blockchain security, smart contract auditing, and transaction protection.
However, the software development process itself remains a weak point.
A perfectly secure blockchain application can still fail if the developer environment is compromised.
The attack also demonstrates the importance of behavioral security analysis.
Traditional antivirus systems often focus on known malware files.
Supply-chain malware is different because the malicious code exists inside trusted software.
Security teams must analyze what applications do, not only where they come from.
The use of legitimate infrastructure for data exfiltration is another important warning.
Attackers are becoming better at hiding inside normal business traffic.
Future security solutions must focus on unusual behavior patterns rather than simple reputation checks.
The incident also raises questions about npm ecosystem security.
Millions of developers depend on packages maintained by small teams or individual contributors.
A single stolen account can become a global security event.
Strong authentication, hardware security keys, signed releases, and continuous monitoring should become standard practices.
For cryptocurrency developers, protecting private keys must be treated as seriously as protecting production databases.
A leaked database can sometimes be repaired.
A stolen blockchain private key often cannot.
The Injective SDK attack is another reminder that the weakest point in a digital ecosystem is often not the technology itself, but the human and software supply chain surrounding it.
Deep Analysis: Commands Security Teams Should Execute After a Supply-Chain Attack
Check installed npm package versions npm list @injectivelabs/sdk-ts
Search project dependencies for compromised versions
npm audit
Review package lock files
cat package-lock.json
Identify recently changed dependencies
git log --stat
Review suspicious GitHub commits
git diff HEAD~10 HEAD
Scan project files for exposed secrets
grep -r privateKey .
Search for cryptocurrency seed phrases
grep -r mnemonic .
Check active network connections
netstat -an
Review running processes
ps aux
Inspect npm package integrity
npm cache verify
Reinstall dependencies safely
npm ci
Rotate exposed API keys
Rotate wallet credentials
Generate new wallet addresses
Monitor CI/CD pipeline changes
Review GitHub Actions permissions
Enable dependency scanning
Enable security alerts
✅ Confirmed: Security researchers identified a malicious version of the @injectivelabs/sdk-ts npm package that attempted to steal cryptocurrency wallet credentials.
✅ Confirmed: The compromised version was distributed through a legitimate project compromise involving GitHub access.
❌ Not confirmed: There is currently no public evidence proving that attackers successfully stole large amounts of cryptocurrency from victims, although the risk was significant.
Prediction
(+1) Supply-chain security will become one of the highest priorities for blockchain companies as attackers increasingly target developer ecosystems instead of end-user applications.
(+1) More cryptocurrency projects will adopt mandatory package signing, stronger GitHub protections, and automated dependency monitoring.
(+1) Security companies will develop more advanced AI-powered tools capable of detecting malicious behavior hidden inside legitimate open-source packages.
(-1) Open-source ecosystems will continue facing attacks because millions of projects rely on dependencies maintained by limited teams.
(-1) Cryptocurrency developers who fail to protect private keys and build environments will remain vulnerable to similar wallet-draining campaigns.
(-1) Future attacks may become more damaging by targeting popular infrastructure libraries with larger user bases and deeper dependency chains.
▶️ Related Video (78% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




