Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages
Threat actors compromised the Injective Labs SDK GitHub repository, injecting malicious code into version 1.20.21 to steal cryptocurrency wallet private keys and mnemonic seed phrases. The attack leveraged a trusted maintainer's identity ("thomasRalee") and the repository's OIDC pipeline to publish the malicious package, which spread to 17 dependent scoped packages. The malware disguised key exfiltration as anonymous telemetry via a "trackKeyDerivation()" function, sending sensitive data to an e
Analysis
TL;DR
- Threat actors compromised the Injective Labs SDK GitHub repository, injecting malicious code into version 1.20.21 to steal cryptocurrency wallet private keys and mnemonic seed phrases.
- The attack leveraged a trusted maintainer's identity ("thomasRalee") and the repository's OIDC pipeline to publish the malicious package, which spread to 17 dependent scoped packages.
- The malware disguised key exfiltration as anonymous telemetry via a "trackKeyDerivation()" function, sending sensitive data to an external server while avoiding detection by bypassing installation lifecycle scripts.
- Immediate remediation requires updating to version 1.20.23, rotating all compromised keys, and auditing transitive dependencies for similar supply chain vulnerabilities.
Why It Matters
This incident highlights the critical vulnerability of open-source software supply chains, demonstrating how compromising a single maintainer account can cascade into widespread theft of cryptographic assets across numerous dependent projects. It serves as a stark warning to developers and organizations relying on third-party libraries to implement rigorous verification processes for package integrity and maintainer identities.
Technical Details
- Attack Vector: The malicious code was introduced via commits from a compromised account of an established contributor, utilizing the project's trusted-publisher (OIDC) CI/CD pipeline to automate the release process.
- Malware Mechanism: The payload modified legitimate key generation functions by invoking a fake telemetry function named
trackKeyDerivation(). This function collected hard-coded markers and sensitive derivation parameters under the guise of optimizing SDK performance. - Exfiltration Strategy: To evade detection, the malware avoided npm lifecycle scripts (like
preinstall) and instead triggered upon library usage. It queued key derivation data over a two-second window and transmitted it via a single HTTPS POST request totestnet.archival.chain.grpc-web.injective[.]network. - Scope of Impact: The malicious SDK version (1.20.21) was pinned by 17 additional
@injectivelabsscoped packages, including various wallet modules (e.g.,wallet-cosmos,wallet-evm), exposing transitive users who did not directly install the compromised package.
Industry Insight
- Supply Chain Vigilance: Organizations must move beyond simple dependency checks and implement strict verification of package provenance, particularly for high-value targets like crypto infrastructure. Regular audits of maintainer activity and CI/CD pipeline configurations are essential.
- Zero Trust for Dependencies: Developers should assume that popular open-source packages may be compromised. Implementing software bill of materials (SBOM) analysis and runtime monitoring for anomalous network calls from libraries can help detect such intrusions early.
- Incident Response Protocols: Immediate rotation of credentials and keys is non-negotiable upon discovery of a supply chain breach. Companies should have predefined playbooks for identifying and isolating affected services when a trusted library is compromised.
Disclaimer: The above content is generated by AI and is for reference only.