A malicious version of the @injectivelabs/sdk-ts npm package (version 1.20.21) was briefly published to the official Injective Labs npm namespace after a contributor account was compromised. The package contained credential-stealing functionality that silently exfiltrated cryptocurrency wallet mnemonic phrases and private keys during normal library usage. Although the malicious release was detected and replaced within approximately one hour, the compromised version remained available for download after being deprecated, and additional Injective packages were released with dependencies pinned to the malicious SDK version.
Rather than executing during package installation, the malicious code activated only when applications used wallet-related functionality. Specifically, the fromMnemonic and fromHex functions responsible for generating wallet private keys were modified to intercept mnemonic phrases and private key material before forwarding them to the legitimate implementation. The captured secrets were Base64-encoded and transmitted via HTTPS POST requests to an Injective-owned public infrastructure endpoint (testnet.archival.chain.grpc-web.injective.network), allowing the traffic to blend with expected application communications and reducing the likelihood of detection.
The compromise extended beyond @injectivelabs/sdk-ts@1.20.21. The threat actor simultaneously published version 1.20.21 of 17 additional packages within the @injectivelabs namespace, each directly or transitively depending on the malicious SDK version. This increased the attack's reach to downstream projects that may not have explicitly imported the compromised package. The malicious release received approximately 310 downloads before being deprecated, limiting observed exposure despite the SDK's popularity of roughly 50,000 weekly downloads.