{"id":22000,"date":"2026-07-11T10:14:40","date_gmt":"2026-07-11T10:14:40","guid":{"rendered":"https:\/\/www.securitytoday.de\/?p=22000"},"modified":"2026-07-11T10:18:57","modified_gmt":"2026-07-11T10:18:57","slug":"an-npm-package-that-stole-the-private-keys","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/11\/an-npm-package-that-stole-the-private-keys\/","title":{"rendered":"An npm package that stole the private keys"},"content":{"rendered":"<p style=\"color:#69d8ed;font-size:0.9em;margin:0 0 16px;padding:0;\">5 min read<\/p>\n<p><strong>A popular npm package with around 50,000 weekly downloads briefly exfiltrated users&#8217; private keys. The official Injective SDK contained a function disguised as telemetry that harvested wallet keys and mnemonics. Security firm Socket uncovered the issue. The case demonstrates how a single compromised dependency can poison an entire build.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">One package, many victims.<\/strong> The compromised @injectivelabs\/sdk-ts siphoned off private keys and mnemonics, spreading through 17 dependent packages.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Disguised as telemetry.<\/strong> The malicious function encoded the data in base64 and silently sent it to an obfuscated endpoint.<\/li>\n<li><strong style=\"color:#69d8ed;\">Far beyond crypto.<\/strong> Any build that pulls dependencies without scrutiny carries the same risk. Pinning, signature verification, and rapid rotation are the solution.<\/li>\n<\/ul>\n<\/div>\n<p style=\"border-top:1px solid rgba(230,227,218,0.14);border-bottom:1px solid rgba(230,227,218,0.14);padding:14px 0;margin:28px 0;font-size:0.92em;color:#b8c5ce;\"><strong style=\"color:#69d8ed;\">Related:<\/strong> A signed driver blinds endpoint protection &nbsp;\u00b7&nbsp; <a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/02\/when-attackers-are-faster-than-the-patch\/\">When attackers outpace the patch<\/a><\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What lurked inside the Injective SDK<\/h2>\n<p><strong>What is a supply-chain attack?<\/strong> Instead of targeting a company directly, a supply-chain attack goes after a component used by many. When a public dependency is tampered with, the malicious code flows through the normal installation process to anyone who pulls the package.<\/p>\n<p>In this case, the TypeScript library @injectivelabs\/sdk-ts-a tool for applications around the Injective blockchain-was affected. A tampered version included a function masquerading as telemetry. In reality, it harvested credentials. The call to derive a wallet from a mnemonic logged the entire phrase, while the call using a private key captured its material.<\/p>\n<p>The stolen data was base64-encoded and silently sent via a network request to an obfuscated endpoint. The process remained invisible to developers. The package sees around 50,000 downloads per week. The malicious version was also distributed through 17 other Injective packages. Anyone who included one of these was exposed, even if they never directly installed the original library.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">How the backdoor slipped into the code<\/h2>\n<p>The entry point was the official project itself. The malicious function made its way into the GitHub repository via commits from an account with a long contribution history-exactly the kind of profile that raises no red flags. That\u2019s what makes hijacking an established contributor so effective.<\/p>\n<p>The timeline was telling. Weeks before the release, a test branch with a name hinting at a backdoor check appeared in the repository. Such traces are obvious in hindsight but easily overlooked in the day-to-day of an active open-source project.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">Why this affects every build<\/h2>\n<p>While this incident wears a crypto label, the pattern is universal. Every modern application pulls in dozens-if not hundreds-of third-party packages, often through multiple layers. A single compromised link is all it takes. Then, the malicious code runs with the same permissions as the build.<\/p>\n<p>Transitive dependencies are particularly risky. A team consciously includes one package but inherits its entire dependency chain-something they never vetted. If credentials, tokens, or keys are stored in a development environment with unchecked dependencies, they\u2019re handing attackers exactly what they\u2019re after.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">What Developers and Security Teams Should Do Now<\/h2>\n<p>The first question is: Is an affected version running in-house? Without a reliable dependency inventory, the answer is just guesswork. Only then do the technical levers come into play.<\/p>\n<div data-element=\"checklist\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:22px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 12px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">Check Immediately<\/p>\n<ul style=\"margin:0;padding-left:0;list-style:none;\">\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Locate the affected SDK version across all projects-both direct and transitive dependencies-then upgrade to the patched release.<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Treat all keys and mnemonics processed by a compromised version as exposed-rotate them and move funds.<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Pin dependencies via lockfiles and apply updates deliberately, not automatically.<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Verify provenance (npm provenance) and package signatures, and maintain a software bill of materials (SBOM).<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Avoid long-lived secrets in build environments with unvetted dependencies, and restrict CI\/CD system permissions tightly.<\/li>\n<\/ul>\n<\/div>\n<p>Dependency analysis tools cut response time by flagging tampered packages before they\u2019re widely deployed. But the real leverage is organizational: If you don\u2019t know your supply chain, you can\u2019t protect it.<\/p>\n<h2 style=\"margin-top:48px;margin-bottom:18px;\">A Supply Chain Stress Test<\/h2>\n<p>Injective stated it resolved the incident in under an hour and caused no user harm-a claim from the provider itself. Regardless, the lesson holds: A project\u2019s rapid response doesn\u2019t absolve users of securing their own chain.<\/p>\n<p>For companies subject to NIS2 or DORA, supply chain risk is no longer theoretical. Both frameworks require organizations to manage risks from suppliers and components. A tampered package in your build pipeline is exactly the scenario these regulations target.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Each question is locked. Tap to unlock the answer.<\/p>\n<details>\n<summary><strong>What is a supply-chain attack?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">A supply-chain attack manipulates a component shared by many targets, such as a public software dependency. The malicious code then spreads through the normal installation process to everyone who includes the package.<\/p>\n<\/details>\n<details>\n<summary><strong>Am I affected if I never directly installed the SDK?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Possibly. The compromised version was distributed via 17 other packages. Anyone who included one of those inherited the dependency transitively, without ever directly pulling the actual library.<\/p>\n<\/details>\n<details>\n<summary><strong>Is updating to the cleaned version enough?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">As a first step, yes-but not as the only one. Keys and mnemonics that passed through an affected version are considered compromised. They need to be rotated, and funds should be moved.<\/p>\n<\/details>\n<details>\n<summary><strong>How did the malicious code end up in an official project?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Through commits from an account with a long history of contributions to the official repository. An established contributor raises no suspicion, making the takeover of such an account particularly effective.<\/p>\n<\/details>\n<details>\n<summary><strong>What offers the best protection against such attacks?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">A well-documented dependency inventory, pinned lockfiles, verified provenance and signatures, and tightly scoped permissions in the build process. Additionally, avoid long-lived secrets in environments with unvetted dependencies.<\/p>\n<\/details>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/05\/29\/the-token-that-bypasses-mfa-why-oauth-theft-is-the-new-entry-point\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/06\/oauth-token-diebstahl-mfa-umgehung-device-code-saas-soc-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">OAuth Token Theft: How Attackers Bypass MFA<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/08\/what-is-ransomware-definition-process-protection\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-ransomware-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">How a Ransomware Attack Unfolds<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/10\/edr-vs-xdr-definition-key-differences\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/was-ist-edr-xdr-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">What Really Sets EDR and XDR Apart<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/2026\/07\/08\/ki-modell-denken-anthropic-j-space\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-ki-modell-denken-anthropic-j-space-86585047.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">For the first time, you can watch an AI think<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/ki-mittelstand-pilot-skalierung-roi-roadmap\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/mybusinessfuture.com\/wp-content\/uploads\/2026\/07\/ki-mittelstand-pilot-skalierung-roi-roadmap-cover-hero-760x434.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">From pilot to scale: AI in SMEs<\/span><\/span><\/a><a href=\"https:\/\/www.digital-chiefs.de\/konglomerat-holding-aumovio-tkms-siemens-it-carve-out-2026\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-konglomerat-holding-aumovio-tkms-siemens-42852037-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#e8828d;margin-bottom:5px;\">Digital Chiefs<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">IT determines whether the spin-off pays off<\/span><\/span><\/a><\/p>\n<p style=\"text-align:right;color:#868e96;font-size:0.85em;margin-top:48px;\"><em>Image source: AI-generated (July 2026)<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"Cybersecurity: A manipulated npm-SDK accessed private wallet keys and spread across 17 packages. Why every build is affected.","protected":false},"author":50,"featured_media":21993,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"npm supply chain attack","_yoast_wpseo_title":"An npm package that stole the private keys","_yoast_wpseo_metadesc":"**\"Cyberattack alert! Hacked npm-SDK stole private keys - spreading via 17 packages. Secure your builds NOW!\"** (149 chars)","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[254],"tags":[],"class_list":["post-22000","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-praxis-umsetzung"],"evm_reading_time_minutes":6,"wpml_language":"en","wpml_translation_of":21992,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22000","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=22000"}],"version-history":[{"count":1,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22000\/revisions"}],"predecessor-version":[{"id":22001,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22000\/revisions\/22001"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/21993"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=22000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=22000"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=22000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}