Injective SDK on npm infected with cryptocurrency wallet stealer
Summary
Hackers compromised the Injective Labs SDK project's GitHub repository, injecting a malicious package onto the npm registry. This compromised package was designed to steal cryptocurrency wallet private keys and mnemonic seed phrases from users who installed it.
IFF Assessment
This incident represents a direct attack on a software supply chain, leading to potential theft of sensitive cryptocurrency assets, which is detrimental to defenders.
Defender Context
This incident highlights a critical software supply chain vulnerability where malicious code can be injected into legitimate packages, posing a significant risk to users. Defenders should be vigilant about the dependencies they integrate and consider implementing stricter code scanning and validation processes for third-party libraries.