Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in @injectivelabs/sdk-ts (npm)

@injectivelabs/sdk-ts

Risk score

92

AI summary

Indexed incident for @injectivelabs/sdk-ts (npm).

Description

The wallet/accounts module (dist/esm/accounts-jQ1GSgaW.js) contains injected code that reconstructs a remote host from a char-code array via String.fromCharCode, decoding to testnet.archival.chain.grpc-web.injective.network, and builds the endpoint https:///. When a wallet is created or used, the code reads the BIP-39 mnemonic (via @scure/bip39 generateMnemonic and ethers HDNodeWallet) and POSTs it base64-encoded, placed in an X-Request-Id header with an application/grpc-web+proto content-type, to that endpoint, with a Node http fallback. The char-code obfuscation of the host and the grpc-web framing disguise the exfiltration as normal Injective SDK traffic. Any mnemonic handled by this version is transmitted to the operator of that host, exposing the wallet's master key.

Technical details

Affected versions

=1.20.21

Indicators

  • affected version=1.20.2175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents