Bleepingcomputer
Injective Labs SDK Compromised with Wallet Stealer on npm
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A malicious version of the @injectivelabs/sdk-ts npm package, version 1.20.21, was published on June 8, 2026, after hackers compromised a legitimate contributor's GitHub account. This package, with around 50,000 weekly downloads, was designed to steal cryptocurrency wallet private keys and mnemonic seed phrases. The malicious code was embedded in two build artifacts and activated when developers used specific SDK functions. The attackers also published the same malicious version across 17 other related packages. The compromised version was downloaded 310 times before being deprecated. The legitimate maintainer quickly reverted the changes and released a clean version, 1.20.23. Security firms have warned that developers using the SDK may have been compromised and should take immediate action to secure their wallets. The malicious code disguised its exfiltration traffic to appear legitimate, making detection difficult.
Key Points: • Malicious npm package version 1.20.21 published, stealing wallet keys and mnemonics. • Attackers compromised a GitHub account of a legitimate contributor to publish the malicious code. • Developers using the SDK functions may have had their wallets compromised.