Security company Socket discovers malicious code implanted in Injective blockchain npm package
According to Cointelegraph, security company Socket has discovered that the npm package @ injivelabs/sdk ts for Injective blockchain has been maliciously modified. The attacker infiltrated the developer's GitHub account and implanted malicious code that stole wallet private keys and mnemonics, and sent the data to an address disguised as a legitimate Injective network server. The software package has been downloaded approximately 50000 times per week, and the malicious version 1.20.21 has been suspected of submitting since June 8th and has been locked in 17 other packages within the scope of Injective Labs npm.