Injective SDK on npm Infected with Cryptocurrency Wallet Stealer
Hackers compromised the official GitHub repository of Injective Labs and used that access to publish a malicious version of the project's SDK on npm. According to BleepingComputer, the tampered package was designed to steal cryptocurrency wallet private keys and mnemonic seed phrases from any developer who installed it.
What Happened
Attackers gained write access to the Injective Labs GitHub repository and pushed code that contained a wallet-stealing payload. Because the compromised repository fed directly into the npm publish pipeline, the malicious package reached the public npm registry under the project's trusted name. Developers who installed or updated the package during the window of compromise would have had any local wallet credentials silently exfiltrated.
The attack targeted private keys and mnemonic seed phrases, which are the master credentials for cryptocurrency wallets. Anyone holding those values can drain a wallet completely. The package lived on npm, the default package registry for JavaScript and Node.js projects, giving it broad reach across the developer ecosystem.
Why This Matters to Small Teams
Small teams and solo developers often install SDK packages without reviewing the source code. You trust the package name, the download count, and the fact that it comes from a recognizable project. This incident shows that trust can be broken at the source: when an upstream repository is compromised, the malicious code arrives wearing a legitimate badge.
Run the exact check on your domain
See your security score, grade, and a breakdown of what's exposed. Free. Takes under 2 minutes.
Scan my site free →If you are building anything that touches cryptocurrency, DeFi protocols, or Web3 wallets, your local development environment may hold wallet credentials for testing or deployment. A malicious npm package can read environment variables, configuration files, and in-memory secrets. One bad npm install can expose keys that control real funds.
Beyond crypto projects, this attack pattern applies broadly. Any compromised npm package can harvest API keys, database connection strings, or cloud credentials that happen to be present in the same environment. Supply chain attacks through package registries have become one of the most reliable ways to reach developers at scale, precisely because the attack surface is a routine workflow step: updating dependencies.
How to Stay Protected
-
Pin dependency versions in production. Use exact version pinning in
package.jsonand commit apackage-lock.jsonoryarn.lockfile. Avoidlatestor loose ranges that silently pull updated packages. -
Enable npm package provenance and integrity checks. Use
npm auditregularly and consider tools like Socket.dev or similar supply chain scanners that flag unexpected behavior in new package versions. -
Never store live wallet credentials in your development environment. Use separate wallets with minimal funds for testing. Keep production private keys and seed phrases offline or in a hardware wallet, never as plaintext on a machine running arbitrary npm code.
-
Review changelog and diff before upgrading. For security-sensitive packages, check the release notes and commit history before running an update. A sudden version bump with vague notes is worth investigating.
-
Use environment isolation. Run dependency installation inside containers or sandboxed environments where file system and network access is restricted. This limits what a malicious package can reach.
-
Monitor your GitHub repository access. Enable required code reviews, branch protection rules, and audit logs for all contributors. If a repo you depend on is compromised at the source, early detection limits the blast radius.
How UNPWNED Helps
UNPWNED focuses on web-facing security hygiene, including headers, exposed configuration, and transport security. While our scanner does not directly audit npm dependency trees, it can surface symptoms of a compromised deployment: exposed environment files, misconfigured endpoints, and missing security headers that attackers exploit after initial access. If a malicious package has already run in your environment and modified your deployment, our continuous scanning gives you a baseline to detect unexpected changes in your site's behavior. For direct supply chain protection, pair UNPWNED with a dedicated software composition analysis tool.
This post was drafted with AI assistance based on authoritative security sources, then published under editorial review.
Source
BleepingComputerDiscussion (0)
Is your site exposed to issues like these?
SCAN YOUR SITE FREE