Crypto Developers Targeted in Dangerous Supply-Chain Attack as Malicious Injective SDK Package Steals Wallet Keys + Video

Listen to this Post

Featured ImageIntroduction: A New Warning Sign for the Cryptocurrency Development Ecosystem

The cryptocurrency industry has once again become the target of a sophisticated software supply-chain attack, highlighting how attackers are shifting their focus from directly attacking users to compromising the tools developers trust. In this incident, hackers infiltrated the GitHub repository of the Injective Labs SDK project and used the access to distribute a malicious npm package designed to steal cryptocurrency wallet credentials.

The attack demonstrates a growing threat pattern across modern software ecosystems: compromising legitimate open-source projects and turning them into delivery channels for malware. Instead of creating suspicious packages from scratch, attackers increasingly abuse trusted libraries with thousands of users, making malicious code harder to detect.

The compromised package, part of the Injective Labs TypeScript/JavaScript SDK ecosystem, was downloaded hundreds of times before security researchers discovered the campaign. The malware specifically targeted wallet private keys and mnemonic seed phrases, which represent complete control over cryptocurrency assets.

Hackers Hijack Injective Labs SDK and Distribute Cryptocurrency-Stealing Malware

Security researchers from Socket, Ox Security, and StepSecurity uncovered a serious supply-chain compromise affecting the npm package ecosystem.

The attackers gained unauthorized access to a legitimate contributor’s GitHub account connected to the Injective Labs SDK project. After taking control of the account, they introduced malicious code into the project and published a compromised version of the package under the name:

@injectivelabs/sdk-ts version 1.20.21

The Injective SDK is widely used by developers building applications on the Injective blockchain, a Layer-1 blockchain designed around decentralized finance (DeFi), tokenized assets, decentralized exchanges, and blockchain-based financial applications.

Because the SDK is integrated into many cryptocurrency-related projects, including wallets, trading platforms, automated bots, and payment solutions, the compromise created a serious risk for developers and potentially their users.

A Trusted Package Turned Into a Malware Distribution Channel

The attack was particularly dangerous because the malicious package appeared to come from a legitimate source.

Unlike traditional malware campaigns where attackers distribute unknown files or suspicious applications, supply-chain attacks exploit trust. Developers naturally assume that popular open-source libraries from official repositories are safe.

The Injective SDK package had approximately 50,000 weekly downloads on npm, meaning even a short-lived malicious release had the potential to reach thousands of development environments.

Researchers found that the attacker published not only the compromised SDK version but also modified 17 additional packages connected to the Injective ecosystem. These packages were linked to the compromised SDK version, increasing the attack surface.

The attacker’s activity began around June 8, when suspicious commits appeared in the repository. Shortly afterward, the malicious npm releases became available.

Fast Response Prevented a Larger Disaster, but Damage Was Already Possible

The legitimate owner of the compromised GitHub account detected the unauthorized activity within minutes and immediately started recovery actions.

The malicious changes were reverted, and a clean version of the package, version 1.20.23, was released.

However, removing the malicious code did not completely eliminate the danger.

Security researchers discovered that the compromised package had already been downloaded approximately 310 times before being deprecated. The package was marked as unsafe but was not fully removed from npm, and malicious GitHub release artifacts remained available.

This means developers who installed the affected version may still have compromised systems, stolen credentials, or exposed cryptocurrency wallets.

How the Malware Stole Cryptocurrency Wallet Secrets

The Attack Did Not Activate Immediately

One of the most concerning aspects of this malware was its stealthy behavior.

The malicious code did not automatically execute when developers installed the npm package. Instead, it waited until specific SDK functions were used.

The malware activated when developers performed wallet-related operations, such as:

Generating cryptocurrency wallet keys

Importing existing wallets

Managing mnemonic recovery phrases

This approach reduced the chance of immediate detection because normal security scanning might not trigger suspicious behavior during installation.

Private Keys and Seed Phrases Were Sent to Attackers

Once activated, the malware searched for sensitive wallet information.

It captured:

Cryptocurrency private keys

Mnemonic seed phrases

Wallet authentication data

The stolen information was then encoded using Base64 and transmitted through an HTTP POST request.

Researchers noted that the malware sent the stolen information to an Injective Labs public infrastructure endpoint. This was likely designed to make the communication appear legitimate and avoid raising security alarms.

StepSecurity researchers discovered that the malware collected multiple stolen secrets, waited approximately two seconds, bundled the information, and transmitted it through HTTP request headers.

This technique shows a deliberate attempt to hide malicious traffic inside normal-looking network communication.

Why Cryptocurrency Wallet Developers Are Becoming Prime Targets

Cryptocurrency developers represent an attractive target because a single compromised development environment can provide access to valuable digital assets.

Unlike traditional accounts protected by password resets or banking regulations, cryptocurrency wallets rely heavily on private keys and recovery phrases.

If attackers obtain a seed phrase:

They can recreate the wallet.

They can move assets without permission.

Transactions usually cannot be reversed.

Victims may lose funds permanently.

This makes software supply-chain attacks especially dangerous in blockchain ecosystems.

A single compromised dependency can potentially affect thousands of applications and millions of users.

The Hidden Risk of Dependency Chains in Modern Software

The Injective SDK incident also highlights another major problem: dependency complexity.

According to researchers, the compromised package had approximately 87 direct npm dependencies.

Those dependencies themselves had additional dependencies, creating a much larger network of affected software.

Ox Security reported that the connected dependency ecosystem represented more than 112,000 cumulative downloads.

This demonstrates why modern software security cannot focus only on the main package. Attackers increasingly target the weakest link somewhere inside the dependency chain.

Developers Must Assume Open Source Can Be Compromised

Open-source software has become the foundation of modern technology, but popularity does not guarantee security.

Attackers are increasingly targeting:

npm packages

GitHub repositories

Developer accounts

CI/CD pipelines

Software build systems

The Injective incident follows a broader trend where criminals attack developers rather than end users.

By compromising developers, attackers gain access to trusted software distribution channels.

Recommended Actions for Developers and Security Teams

Developers who installed or used the compromised Injective SDK version should immediately take security precautions.

Recommended steps include:

Move cryptocurrency assets to new wallets.

Replace potentially exposed private keys.

Generate new mnemonic phrases.

Rotate API keys and authentication secrets.

Review developer machines for suspicious activity.

Check CI/CD pipelines for unauthorized modifications.

Audit installed npm packages.

Organizations should also strengthen supply-chain defenses through:

Dependency monitoring

Package integrity verification

Automated security scanning

Multi-factor authentication for developer accounts

GitHub security controls

Software composition analysis tools

What Undercode Say:

The Injective SDK compromise represents a clear evolution in modern cyberattacks.

Attackers no longer need to break directly into cryptocurrency exchanges or wallets.

They can simply attack the software developers who create the tools behind those systems.

The most dangerous part of this incident is not only the stolen wallet keys but the method used to obtain them.

The attackers understood that developers trust official repositories.

They understood that popular npm packages are automatically updated across thousands of projects.

They understood that cryptocurrency applications depend heavily on third-party libraries.

This makes supply-chain attacks extremely powerful.

The cryptocurrency industry has invested heavily in blockchain security, smart contract auditing, and transaction protection.

However, the software development process itself remains a weak point.

A perfectly secure blockchain application can still fail if the developer environment is compromised.

The attack also demonstrates the importance of behavioral security analysis.

Traditional antivirus systems often focus on known malware files.

Supply-chain malware is different because the malicious code exists inside trusted software.

Security teams must analyze what applications do, not only where they come from.

The use of legitimate infrastructure for data exfiltration is another important warning.

Attackers are becoming better at hiding inside normal business traffic.

Future security solutions must focus on unusual behavior patterns rather than simple reputation checks.

The incident also raises questions about npm ecosystem security.

Millions of developers depend on packages maintained by small teams or individual contributors.

A single stolen account can become a global security event.

Strong authentication, hardware security keys, signed releases, and continuous monitoring should become standard practices.

For cryptocurrency developers, protecting private keys must be treated as seriously as protecting production databases.

A leaked database can sometimes be repaired.

A stolen blockchain private key often cannot.

The Injective SDK attack is another reminder that the weakest point in a digital ecosystem is often not the technology itself, but the human and software supply chain surrounding it.

Deep Analysis: Commands Security Teams Should Execute After a Supply-Chain Attack

Check installed npm package versions
npm list @injectivelabs/sdk-ts

Search project dependencies for compromised versions

npm audit

Review package lock files

cat package-lock.json

Identify recently changed dependencies

git log --stat

Review suspicious GitHub commits

git diff HEAD~10 HEAD

Scan project files for exposed secrets

grep -r privateKey .

Search for cryptocurrency seed phrases

grep -r mnemonic .

Check active network connections

netstat -an

Review running processes

ps aux

Inspect npm package integrity

npm cache verify

Reinstall dependencies safely

npm ci

Rotate exposed API keys

Rotate wallet credentials

Generate new wallet addresses

Monitor CI/CD pipeline changes

Review GitHub Actions permissions

Enable dependency scanning

Enable security alerts

✅ Confirmed: Security researchers identified a malicious version of the @injectivelabs/sdk-ts npm package that attempted to steal cryptocurrency wallet credentials.

✅ Confirmed: The compromised version was distributed through a legitimate project compromise involving GitHub access.

❌ Not confirmed: There is currently no public evidence proving that attackers successfully stole large amounts of cryptocurrency from victims, although the risk was significant.

Prediction

(+1) Supply-chain security will become one of the highest priorities for blockchain companies as attackers increasingly target developer ecosystems instead of end-user applications.

(+1) More cryptocurrency projects will adopt mandatory package signing, stronger GitHub protections, and automated dependency monitoring.

(+1) Security companies will develop more advanced AI-powered tools capable of detecting malicious behavior hidden inside legitimate open-source packages.

(-1) Open-source ecosystems will continue facing attacks because millions of projects rely on dependencies maintained by limited teams.

(-1) Cryptocurrency developers who fail to protect private keys and build environments will remain vulnerable to similar wallet-draining campaigns.

(-1) Future attacks may become more damaging by targeting popular infrastructure libraries with larger user bases and deeper dependency chains.

▶️ Related Video (78% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube