AI vs. Supply Chain Security: Learn how to defend your code. Save your seat.

Injectivelabs npm Package Hijacked, Impacting 87 Dependent Packages

Injectivelabs npm Package Hijacked

Supply chain hits npm registry immediately following the v12 release, proving developer ecosystems remain heavily targeted.

Breaking News: A malicious version of Injectivelabs/sdk-ts@1.20.21 was uploaded to the npm registry. The compromised package contains malware designed to exfiltrate cryptocurrency from victim machines.

Overview

The @injectivelabs/sdk-ts package was hijacked to deliver crypto-stealing malware. Because this package has 87 downstream dependents, any project utilizing a non-pinned version of the SDK during the window the attack was live automatically pulled the malicious update.

Notably, secondary packages within the Injective ecosystem were not directly injected with malicious code; instead, their dependency trees were modified to point explicitly to @injectivelabs/sdk-ts@1.20.21 to execute the payload indirectly.

Who is affected

Anyone who installed @injectivelabs/sdk-ts@1.20.21 or one of its dependents during the time it was live.

Impact

Impact: cryptocurrency exfiltration from the victim’s machine,

Reach: 87 dependent packages, combining for an accumulated 112,378 downloads count.

  1. Update to a fixed package of the affected packages immediately
  2. Add 2FA to your crypto-currency wallets and check for suspicious transactions

Technical Analysis

image

The malware adds crypto wallet stealing logic to a crypto wallet package, every time a legitimate user creates or uses the logic that reads mnemonic phrases – which are basically the master key for any crypto wallet, the malware reads them and sends them to the remote server.

image

It’s interesting to note that the threat actors targeted a crypto currency npm package for the malicious stealing logic – to ensure that their victims use the wallet handling logic directly.

The malware contains an obfuscated string which translates to the remote C2 server testnet.archival.chain.grpc-web[.]injective[.]network

image

Since the malware is highly targeted, only the collection and sending logic was added, showing that this was a rather targeted attack and not a wide-spread malware such as Shai-Hulud and it’s variants.

Affected Packages

Package nameAffected versions
@injectivelabs/sdk-ts1.20.21
@injectivelabs/utils1.20.21
@injectivelabs/networks1.20.21
@injectivelabs/ts-types1.20.21
@injectivelabs/exceptions1.20.21
@injectivelabs/wallet-base1.20.21
@injectivelabs/wallet-core1.20.21
@injectivelabs/wallet-cosmos1.20.21
@injectivelabs/wallet-private-key1.20.21
@injectivelabs/wallet-evm1.20.21
@injectivelabs/wallet-trezor1.20.21
@injectivelabs/wallet-cosmostation1.20.21
@injectivelabs/wallet-ledger1.20.21
@injectivelabs/wallet-wallet-connect1.20.21
@injectivelabs/wallet-magic1.20.21
@injectivelabs/wallet-strategy1.20.21
@injectivelabs/wallet-turnkey1.20.21
@injectivelabs/wallet-cosmos-strategy1.20.21

Conclusions

Less than 24 hours since npm v12 is out, we’re seeing what we always said – supply chain attacks are here to stay, and they found the npm registry as their new home.

These operations don’t even need to be highly sophisticated—they just need to work. As long as threat actors can compromise developer accounts via stolen GitHub access tokens, phishing, or account takeovers, they can upload malicious iterations without a single automated guardrail standing in their way.

Attackers don’t need to hit your main application repository directly—they just need to poison its dependencies. If you aren’t monitoring what your code is bringing in – you’re cooked. This campaign perfectly illustrates this tactical evolution: the threat actors pinned the other @injectivelabs dependencies to a malicious version. By keeping those secondary packages clean of malicious code, the core malware evades detection longer, buying it time to spread through the registry, and even more time in unofficial registries.

Tags:

post banner image

Run Every Security Test Your Code Needs

Pinpoint, investigate and eliminate code-level issues across the entire SDLC.

GET A PERSONALIZED DEMO
Frame 2085668530

Subscribe to Our Newsletter

Stay updated with the latest SaaS insights, tips, and news delivered straight to your inbox.

Group 1261154229