Compromised Injective npm SDK stole crypto wallet keys from developers' apps
Attackers compromised a legitimate maintainer's GitHub account for the Injective blockchain SDK and used it to push a malicious version of the widely used @injectivelabs/sdk-ts npm package, which has around 50,000 weekly downloads. The tainted code, disguised as usage telemetry, hooked the SDK's wallet key-generation functions to capture private keys and seed phrases, then sent them to a server made to look like legitimate Injective infrastructure. Trusted-publishing automation spread the malicious release across 18 packages within minutes, though it was live under an hour before being pulled. Because the theft can reach apps that used the SDK only indirectly, any wallet keys handled by affected versions should be treated as compromised.
- Check
- Check whether your projects or dependencies pulled the malicious Injective SDK version, including transitive dependencies and cached copies, and review whether any wallet keys or seed phrases passed through affected code.
- Affected
- Developers and applications using the affected @injectivelabs/sdk-ts versions, and their users; the malware captured wallet private keys and seed phrases, even for apps that depended on the SDK only indirectly.
- Fix
- Move any potentially exposed cryptocurrency to fresh wallets, rotate secrets in affected environments, pin dependencies to known-good versions, and protect maintainer accounts and publishing pipelines with phishing-resistant MFA.