InjectiveLabs/SDK-TS, a widely used package, was briefly published on Node Package Manager (npm) as a malicious version after attackers gained access to a legitimate contributor’s GitHub account, exposing developers to the theft of cryptocurrency wallet credentials.
Several security researchers from Socket, Ox Security, and StepSecurity identified the supply chain attack as targeting Injective Labs’ TypeScript/JavaScript SDK, which is used to develop applications based on Injective’s blockchain.
Several security researchers from Socket, Ox Security, and StepSecurity identified the supply chain attack as targeting Injective Labs’ TypeScript/JavaScript SDK, which is used to develop applications based on Injective’s blockchain.
The SDK is widely adopted by developers who create cryptocurrency wallets, decentralized finance (DeFi) applications, decentralized exchanges, trading bots, and payment platforms, with approximately 50,000 downloads per week on NPM.
A significant security issue is the responsibility of the SDK when it comes to creating and importing cryptocurrency wallets, as it occupies a critical position in the development process. Developers and end users alike are particularly vulnerable to any compromise of the SDK because the wallet creation functions are crucial to the handling of users’ mnemonic recovery phrases and private keys.
Researchers have determined that hackers gained access to a legitimate contributor’s GitHub account on June 8 and introduced malicious code, which was later released as version 1.20.21 for the @injectivelabs/sdk-ts package. Additionally, 17 additional Injective-related packages were referenced by the compromised release, resulting in a significant impact on downstream projects.
According to security researchers, attackers compromised a legitimate maintainer’s account after exploiting the trust-worthy GitHub publishing workflow of the project.
According to security researchers, attackers compromised a legitimate maintainer’s account after exploiting the trust-worthy GitHub publishing workflow of the project.
As opposed to stealing an NPM publishing token or creating a fake package, the malicious version was distributed through the repository’s normal release process, making the compromise appear genuine.
Package maintainers detected the malicious activity within minutes, reverting the unauthorized changes and releasing a version that is free of malicious activity, 1.20.23.
Nevertheless, systems that downloaded or updated the compromised package during the brief exposure window may still have been affected. In contrast to conventional malware that is executed during installation, the injected code is activated when developers create or import cryptocurrency wallets using SDK functions.
When this was achieved, the malware captured private wallet keys and mnemonic seed sentences, encoded the information, and sent it via HTTP POST request to what appeared to be an official Injective Labs infrastructure endpoint in order to blend into normal network traffic.
As a method of minimizing detection, the malware disguised its outbound communication as legitimate injective network traffic in order to prevent detection.
As a method of minimizing detection, the malware disguised its outbound communication as legitimate injective network traffic in order to prevent detection.
By capturing multiple wallet secrets temporarily, encoding them, and transmitting them as a single request, the malicious activity was able to blend in with blockchain-related communications, avoiding detection.
The malware, according to StepSecurity researchers, collected wallet secrets for approximately two seconds before bundling them into a single request to minimize suspicion while maximizing the amount of data stolen.
In a recent report, Socket reported that 310 malicious packages had been downloaded before they were deprecated, but there is reportedly still availability of the associated malicious GitHub rele
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article:
