A malicious release of the npm package @injectivelabs/sdk-ts (v1.20.21) was published in a software supply-chain attack that embedded infostealer functionality to capture cryptocurrency wallet private keys and mnemonic phrases. The tainted code was introduced through commits to Injective Labs’ official GitHub repository using a contributor account with prior project history, then shipped to npm, where it hooked wallet key-generation functions during normal library use, base64-encoded the captured secrets, and exfiltrated them in POST requests to an Injective Labs public infrastructure endpoint to blend with legitimate traffic.
The compromise extended beyond the core package through dependency poisoning: attackers published 17 additional @injectivelabs scoped packages pinned to the malicious SDK version, and reporting identified 87 dependent packages in scope with a combined 112,378 downloads. Although the malicious sdk-ts release was reportedly downloaded about 310 times before detection and rollback, the compromised npm version and GitHub release artifacts remained available at the time of reporting. Developers were urged to upgrade to 1.20.23, audit direct and transitive @injectivelabs dependencies, and treat any mnemonic phrases or private keys processed by affected versions as compromised.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
The @injectivelabs/sdk-ts compromise was publicly reported in GitHub issue #697. This marked a public disclosure of the incident separate from the malicious publication, revert, and clean package release.
A clean version of the package, 1.20.23, was published shortly after the malicious release was reverted. Developers were advised to upgrade and treat any keys or mnemonic phrases processed by affected versions as compromised.
The malicious activity was detected and reverted quickly on the night it began. This rapid response appears to have limited impact, with the compromised npm version reportedly downloaded 310 times.
A malicious version of @injectivelabs/sdk-ts (v1.20.21) was published to npm as part of a supply-chain attack. The attacker also caused additional @injectivelabs packages to depend on the compromised version, expanding exposure across the ecosystem.
Malicious activity involving the npm package @injectivelabs/sdk-ts version 1.20.21 began on June 8, 2026. The compromised package contained code that captured wallet private keys and mnemonic phrases and exfiltrated them to an InjectiveLabs public infrastructure endpoint.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
ox.security
Open sourcesocket.dev
Open sourcebleepingcomputer.com
Open sourcesecuritylabs.datadoghq.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.