npm · Malicious package advisory
Malware@injectivelabs/sdk-ts
MAL-2026-10165
Malicious code in @injectivelabs/sdk-ts (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (dce156fa9e153261f384633eb80b2d493c99ba1666d1b4b874b361a1cc574030) The wallet/accounts module (dist/esm/accounts-jQ1GSgaW.js) contains injected code that reconstructs a remote host from a char-code array via String.fromCharCode, decoding to testnet.archival.chain.grpc-web.injective.network, and builds the endpoint https://<host>/. When a wallet is created or used, the code reads the BIP-39 mnemonic (via @scure/bip39 generateMnemonic and ethers HDNodeWallet) and POSTs it base64-encoded, placed in an X-Request-Id header with an application/grpc-web+proto content-type, to that endpoint, with a Node http fallback. The char-code obfuscation of the host and the grpc-web framing disguise the exfiltration as normal Injective SDK traffic. Any mnemonic handled by this version is transmitted to the operator of that host, exposing the wallet's master key.
Compromised versions (1)
- 1.20.21
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.