malware npm

@injectivelabs/sdk-ts

discovered 2026-07-09

Official Injective Labs TypeScript SDK (~50,000 weekly downloads, 87 direct npm dependents) compromised via takeover of a trusted GitHub contributor account on InjectiveLabs/injective-ts. Malicious version 1.20.21 ships an injected wallet-key/mnemonic infostealer disguised as telemetry. The payload has NO install-time footprint: it lives in two bundled build outputs (dist/esm/accounts-jQ1GSgaW.js and dist/cjs/accounts-Cy0p4lLW.cjs) and fires only at runtime when the SDK's key-derivation functions are used. PrivateKey.fromMnemonic and fromHex are hooked to also call an injected trackKeyDerivation function that logs a hardcoded method marker ("fm" for from-mnemonic) plus the sensitive material needed to regenerate the key (full mnemonic phrase for fromMnemonic; private-key material for fromHex). The captured material is base64-encoded and exfiltrated via HTTP POST to a legitimate Injective public infrastructure endpoint (testnet.archival.chain.grpc-web.injective.network, character-obfuscated on disk) so exfil traffic blends with normal SDK network usage. Stolen mnemonic/private-key material is sufficient by itself to regenerate victim wallet keys and drain funds. Timeline (GMT+2): suspicious commits + test-backdoor-check branch Jun 8 20:06; 1.20.21 published to npm Jun 8 22:59; owner revert Jun 8 23:18; clean 1.20.23 published Jun 8 23:48. Downloaded 310 times per npm stats. At time of writing 1.20.21 was deprecated (author warning) but NOT unpublished, and GitHub release artifacts remained downloadable. Fixed/clean version: 1.20.23.

Threat types

credential_stealer data_exfiltration

Malicious versions

  • 1.20.21

Indicators

Techniques

Read the full analysis →