🟠 High | Source: The Hacker News
Attackers compromised the GitHub repository of Injective Labs, a blockchain SDK project, and used it to publish a malicious npm package (@injectivelabs/sdk-ts@1.20.21) that secretly steals cryptocurrency wallet private keys and seed phrases. The package disguised its theft mechanism as routine telemetry functionality, making it difficult to detect. This is a classic software supply chain attack targeting developers who build on the Injective blockchain ecosystem.
Security Architect’s Take: Audit your organisation’s dependency trees immediately for @injectivelabs/sdk-ts and pin or remove version 1.20.21; implement npm package integrity checks and consider enforcing lockfiles with hash verification in your CI/CD pipelines to detect unexpected package changes before they reach production.
Original advisory: Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages