← 返回
1小时前 · CoinTelegraph

Hackers tried to backdoor Injective npm package to steal wallet keys

The incident is significant for developers and applications that handle Injective wallet workflows, Socket researchers said. Hackers compromised a widely used Injective software package in a supply chain attack with malware designed to steal crypto wallet private keys, adding to a growing attack vector involving attackers using legitimate platforms to deliver malicious payloads. Security firm Socket discovered on Thursday that a popular npm (node package manager) package with around 50,000 weekly downloads used for building on the Injective blockchain was maliciously modified to steal wallet private keys and seed phrases. The large number of downloads makes the incident “significant for developers and applications that handle Injective wallet workflows,” Socket researchers said. The malicious code has since been removed. The software supply chain attack is a relatively new attack vector in which hackers don’t target a blockchain’s cryptography or smart contracts directly, but instead compromise trusted developer tools used to build wallets, exchanges and apps. Injective is an interoperable layer 1 designed for DeFi applications. Its usage has dwindled over the past two years, with total value locked shrinking by 88% to current levels of $8.2 million from its $71 million peak in mid-2024, according to DefiLlama. Version 1.20.21 of the @injectivelabs/sdk-ts npm package was modified through a compromised developer GitHub account, with suspicious commits beginning June 8. It was also pinned across 17 other packages in the Injective Labs npm scope, “exposing users who may not have installed the SDK [software development kit] directly,” Socket said. “The malicious release hooks wallet key-derivation functions, records private keys and mnemonics, and exfiltrates them through fake telemetry,” Socket explained. The malicious code hooked into normal functions used to generate wallet keys, and whenever a developer’s app used these functions, it secretly copied the seed phrase or private key. The compromised data was then encoded and sent to a web address that looked like a legitimate Injective network server. “Any keys or mnemonics passed through affected packages should be treated as compromised,” Socket added. Related: ‘TrapDoor’ malware targets crypto dev tools in supply chain attack Socket reported that the developer whose account was infiltrated quickly detected the compromise, but the malware had been downloaded more than 300 times, and “the campaign itself isn’t yet fully contained.” Injective CEO

📌 推荐交易所

欧意 | Binance | Bybit | Bitget | Gate.io


小靓分析:

🦊 小靓解读 Injective 的 npm 包遭供应链攻击,黑客植入恶意代码窃取钱包私钥和助记词,周下载量约5万次,影响面不小。这暴露了依赖开源生态的 DeFi 项目在软件供应链上的安全短板。 📊 市场影响 短期可能打击 Injective 生态开发者的信任,INJ 代币或有抛压,但消息一般化,不会引发暴跌。中长期看,若团队快速修复并加强审计,影响可控,类似事件在加密圈已多次上演。 💡 操作建议 持有 INJ 的用户留意官方更新,不要使用未经审计的第三方包。交易上建议观望,不追空也不抄底,等待事件消化后再做判断。

风险提示: 该资讯来源于公开渠道,仅供参考。Traceless 无痕智盈平台不对此信息准确性做任何保证。

💬 0
🏪 策略广场

💬 评论

🔑 登录 后即可评论
暂无评论,来说两句