Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsAvoid using all malicious instances of the @injectivelabs/sdk-ts package.
@injectivelabs/sdk-ts is a SDK in TypeScript for building Injective applications in a browser, node, and react native environment.
Affected versions of this package are vulnerable to Embedded Malicious Code. The compromised version of this package contains a malicious trackKeyDerivation() function inserted into the account modules accounts-jQ1GSgaW.js and accounts-Cy0p4lLW.cjs, which hooks the fromMnemonic() and fromHex() key-derivation functions to capture full mnemonic phrases and private-key material. The code base64-encodes the captured secrets and exfiltrates them through a POST request to a character-obfuscated endpoint intended to resemble Injective infrastructure. It executes during normal library use rather than at install time, to evade detection.
The same actor also published version 1.20.21 of 17 other @injectivelabs/* packages, but those packages contain no additional malicious code of their own. They are implicated solely because each pinned the compromised @injectivelabs/sdk-ts@1.20.21 as a dependency, pulling the backdoor in.
Note: The compromised version has been labelled "compromised" and deprecated on npmjs.com, but not removed as of the time of publication.