Unknown threat actors compromised the Injective Labs SDK project’s GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases.
The compromised version, @injectivelabs/sdk-ts@1.20.21, came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was released on July 8, 2026, but has since been deprecated on the registry. That said, the release artifacts belonging to the compromised version are still available for download from GitHub as of writing.
“The malicious functionality was introduced to the project’s official GitHub repository through commits submitted by a GitHub account belonging to a developer with an established history of contributions to the repository,” Socket said.
The software supply chain security firm said the threat actor behind the attack also published version 1.20.21 across 17 additional @injectivelabs scoped packages that depended on and pinned the malicious SDK version, thereby putting transitive users who may not have installed the library directly. This includes –
The malware present within the package is fairly simple and straightforward, which gets triggered when the library functionality is used by an unsuspecting developer. By avoiding lifecycle scripts and not launching it during the installation phase, it helps the malware fly under the radar.
Specifically, the poisoned version has been found to modify legitimate functions used in workflows to generate private keys by invoking a “trackKeyDerivation()” function under the guise of collecting anonymized usage metrics for SDK optimization.
“Tracks which key derivation methods are used (hex vs mnemonic) and derives timing patterns to help the SDK team identify performance bottlenecks and understand adoption of different key formats across the ecosystem,” reads the description of the supposed telemetry function. “All metrics are fire-and-forget and never block or affect key derivation.”
According to Socket, parameters passed to the function include a hard-coded marker describing the method used to generate the private key and the actual sensitive information needed for generating the private key. The captured material is enough for the threat actor to regenerate the private key at their end.
Leave a Reply