Attackers compromised the Injective Labs SDK GitHub repository and published malicious npm package version 1.20.21 that stole cryptocurrency wallet private keys and mnemonic seed phrases from developers.
Attackers compromised the Injective Labs SDK GitHub repository and published malicious npm package version 1.20.21 that stole cryptocurrency wallet private keys and mnemonic seed phrases from developers.

Attackers compromised the Injective Labs SDK GitHub repository on July 8 and published a malicious version of the @injectivelabs/sdk-ts package on npm that captured cryptocurrency wallet private keys and mnemonic seed phrases, security firms Socket, Ox Security and StepSecurity reported.
"The attacker used a compromised maintainer account to push code disguised as analytics telemetry directly to the master branch, bypassing pull request review," the Socket research team said in a report. "The payload activated only when developers called wallet-construction functions, making it invisible to standard npm install-time scanning."
The malicious version 1.20.21 of the TypeScript SDK — downloaded 310 times before being deprecated — targeted the PrivateKey.fromMnemonic() and PrivateKey.fromHex() methods, the two primary entry points for turning seed phrases or hex keys into signing keys on the Injective blockchain. The malware queued captured secrets for two seconds, base64-encoded them, and exfiltrated them via an HTTP POST request header to a domain mimicking legitimate Injective gRPC-Web infrastructure at testnet.archival.chain.grpc-web.injective.network.
The attacker published the same compromised version across 17 additional @injectivelabs scoped packages that pinned an exact dependency on the backdoored SDK, expanding the blast radius. Ox Security said the 87 packages that directly depend on @injectivelabs/sdk-ts had cumulative downloads exceeding 112,000. The legitimate maintainer detected the breach within roughly 22 to 52 minutes, reverted the changes and published a clean release at version 1.20.23.
The incident marks the latest supply-chain attack targeting the JavaScript ecosystem, following the Shai-Hulud campaign that compromised 600 npm packages and the IronWorm malware that hit 36 packages earlier this year. Developers who installed the affected packages during the exposure window should treat any wallet secrets as compromised, transfer funds to new wallets and rotate all environment credentials. The malicious GitHub release artifacts remain available as of publication.
This article is for informational purposes only and does not constitute investment advice.