Injective Labs SDK Compromised with Wallet Stealer on npm

Injective Labs SDK Compromised with Wallet Stealer on npm

First seen 9 Jul 2026, 20:56 UTC Aikido.DevBleepingcomputerwww.ox.security 84% similarity 69.0

Article Content

Browse articles
ThreatCluster

A malicious version of the @injectivelabs/sdk-ts npm package, version 1.20.21, was published on June 8, 2026, after hackers compromised a legitimate contributor's GitHub account. This package, with around 50,000 weekly downloads, was designed to steal cryptocurrency wallet private keys and mnemonic seed phrases. The malicious code was embedded in two build artifacts and activated when developers used specific SDK functions. The attackers also published the same malicious version across 17 other related packages. The compromised version was downloaded 310 times before being deprecated. The legitimate maintainer quickly reverted the changes and released a clean version, 1.20.23. Security firms have warned that developers using the SDK may have been compromised and should take immediate action to secure their wallets. The malicious code disguised its exfiltration traffic to appear legitimate, making detection difficult.

Key Points: • Malicious npm package version 1.20.21 published, stealing wallet keys and mnemonics. • Attackers compromised a GitHub account of a legitimate contributor to publish the malicious code. • Developers using the SDK functions may have had their wallets compromised.

ThreatCluster AI

Timeline

2026-06-08
Malicious version 1.20.21 published
Hackers published a compromised version of the @injectivelabs/sdk-ts npm package, which stole wallet keys.
Aikido.Dev
2026-06-08
17 related packages also compromised
The same malicious version was published across 17 other packages associated with Injective Labs.
Bleepingcomputer
2026-06-08
Malicious package downloaded 310 times
Before being deprecated, the malicious version was downloaded 310 times by developers.
Bleepingcomputer
2026-06-08
Clean version 1.20.23 released
The legitimate maintainer quickly reverted the malicious changes and published a clean version of the SDK.
Aikido.Dev

Community

Browse all →