@injectivelabs/sdk-ts
discovered 2026-07-09Official Injective Labs TypeScript SDK (~50,000 weekly downloads, 87 direct npm dependents) compromised via takeover of a trusted GitHub contributor account on InjectiveLabs/injective-ts. Malicious version 1.20.21 ships an injected wallet-key/mnemonic infostealer disguised as telemetry. The payload has NO install-time footprint: it lives in two bundled build outputs (dist/esm/accounts-jQ1GSgaW.js and dist/cjs/accounts-Cy0p4lLW.cjs) and fires only at runtime when the SDK's key-derivation functions are used. PrivateKey.fromMnemonic and fromHex are hooked to also call an injected trackKeyDerivation function that logs a hardcoded method marker ("fm" for from-mnemonic) plus the sensitive material needed to regenerate the key (full mnemonic phrase for fromMnemonic; private-key material for fromHex). The captured material is base64-encoded and exfiltrated via HTTP POST to a legitimate Injective public infrastructure endpoint (testnet.archival.chain.grpc-web.injective.network, character-obfuscated on disk) so exfil traffic blends with normal SDK network usage. Stolen mnemonic/private-key material is sufficient by itself to regenerate victim wallet keys and drain funds. Timeline (GMT+2): suspicious commits + test-backdoor-check branch Jun 8 20:06; 1.20.21 published to npm Jun 8 22:59; owner revert Jun 8 23:18; clean 1.20.23 published Jun 8 23:48. Downloaded 310 times per npm stats. At time of writing 1.20.21 was deprecated (author warning) but NOT unpublished, and GitHub release artifacts remained downloadable. Fixed/clean version: 1.20.23.
Threat types
Malicious versions
- 1.20.21
Indicators
- domain testnet.archival.chain.grpc-web.injective.networkcommunicates-with
- url https://testnet.archival.chain.grpc-web.injective.networkexfiltrates-to
- sha256 103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0indicates
- sha256 9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9indicates
- file_path /dist/cjs/accounts-Cy0p4lLW.cjsindicates
- file_path /dist/esm/accounts-jQ1GSgaW.jsindicates
- github_repo InjectiveLabs/injective-tsindicates
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1078 Valid Accountsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1552 Unsecured Credentialsuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses