malware npm

@injectivelabs/wallet-magic

discovered 2026-07-09

Version 1.20.21 of this @injectivelabs-scope package was published by the threat actor alongside the compromised SDK. It does NOT contain the stealer code directly, but has a direct or transitive dependency on @injectivelabs/sdk-ts pinned to the malicious 1.20.21, so installing it at 1.20.21 transitively pulls in the infostealer. Remediation: pin all @injectivelabs packages to the clean 1.20.23 release and check transitive dependencies, not just direct ones.

Threat types

other

Malicious versions

  • 1.20.21
Read the full analysis →