VYPR
breachPublished Jul 9, 2026· 1 source

Injective SDK on npm Compromised, Stealing Cryptocurrency Wallet Keys

A malicious version of the Injective SDK package was published on npm, compromising developers and potentially stealing cryptocurrency wallet private keys and seed phrases.

Injective Labs' official software development kit (SDK) for the Injective blockchain was compromised, leading to the distribution of a malicious package on the Node Package Manager (npm) that targeted cryptocurrency users. Security firms Socket, Ox Security, and StepSecurity detected the supply-chain attack through version 1.20.21 of the @injectivelabs/sdk-ts npm package, which is crucial for developers building decentralized finance (DeFi) applications, wallets, and trading bots on the Injective Layer-1 blockchain.

The attack vector involved the compromise of a legitimate contributor's GitHub account, which was then used to push malicious commits and publish the tainted package. The attacker also updated 17 other associated packages to this compromised version, effectively broadening the potential impact. While the legitimate owner quickly reverted the changes and released a clean version, systems that had already downloaded or updated to the malicious version were likely affected.

This malicious package, downloaded approximately 310 times before being deprecated, posed a significant risk due to its extensive dependency tree. With 87 direct dependencies and numerous transitive ones, the compromise could have cascaded through many other projects. The cumulative download count for these dependent packages exceeded 112,000, highlighting the widespread potential for infection.

The malware's design was particularly insidious, activating only when developers used specific SDK functions related to generating or importing wallet keys. This targeted approach meant that not all users of the package were immediately at risk, but those who performed key management operations were directly targeted.

Upon activation, the malware captured full mnemonic seed phrases and private keys. This sensitive data was then encoded in base64 and exfiltrated via HTTP POST requests to a legitimate Injective Labs public infrastructure endpoint. This tactic was designed to disguise the malicious traffic as normal network activity, making detection more challenging.

Instead of sending stolen secrets immediately, the malware bundled multiple captured keys and mnemonics, queuing them for two seconds before transmitting them in the HTTP request header. This method of exfiltration could allow attackers to gather a larger volume of credentials before detection, increasing the potential for significant financial loss.

Developers who suspect their systems may have been compromised are strongly advised to immediately transfer any cryptocurrency assets to new, secure wallets and rotate all sensitive credentials within their development environment. The incident underscores the persistent threat of supply-chain attacks targeting the software development ecosystem, particularly within the cryptocurrency space.

Synthesized by Vypr AI