Hackers compromised the Injective Labs SDK project's GitHub repository and used it to publish a malicious package on the Node Package Manager (npm) that stole cryptocurrency wallet private keys and mnemonic seed phrases.

Application security companies Socket, Ox Security, and StepSecurity detected the supply-chain attack via version 1.20.21 of the @injectivelabs/sdk-ts npm package.

Injective SDK is a TypeScript/JavaScript software development kit (SDK) for building applications on the Injective blockchain, a Layer-1 blockchain focused on decentralized finance (DeFi), tokenized assets, and decentralized exchanges.

The package has 50,000 weekly downloads on npm and is used by developers building cryptocurrency wallets, trading bots, decentralized exchanges, DeFi applications, and payment tools.

According to the researchers, the attacker compromised a GitHub account belonging to a legitimate project contributor and made the first suspicious commits on June 8, publishing the malicious version of the package shortly afterward.