malware
npm
@injectivelabs/wallet-turnkey
discovered 2026-07-09Version 1.20.21 of this @injectivelabs-scope package was published by the threat actor alongside the compromised SDK. It does NOT contain the stealer code directly, but has a direct or transitive dependency on @injectivelabs/sdk-ts pinned to the malicious 1.20.21, so installing it at 1.20.21 transitively pulls in the infostealer. Remediation: pin all @injectivelabs packages to the clean 1.20.23 release and check transitive dependencies, not just direct ones.
Threat types
other
Malicious versions
- 1.20.21