According to security firm StepSecurity, on July 8 an attacker leveraged a trusted developer account’s permissions to implant a backdoor into the Injective official TypeScript SDK @injectivelabs/sdk-ts, pushing malicious version 1.20.21 to 18 related npm packages via an automated release process. The malicious code was disguised as an analysis tool, collecting mnemonics and private keys during wallet creation or loading and sending them to a server controlled by the attacker. The affected version was online for less than an hour before being withdrawn, and the 18 packages subsequently released a fixed version 1.20.23. StepSecurity recommends that apps that installed the affected package or used a cached copy within the relevant time window treat any wallet keys that came into contact as compromised.

INJ-0.45%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned