Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics

0
Medium
Published: 07/10/2026 (07/10/2026, 03:46:31 UTC)
Source: AlienVault OTX General

Description

A compromised version (1.20.21) of the Injective Labs TypeScript SDK npm package was published containing malicious code that exfiltrates cryptocurrency wallet private keys and mnemonic phrases. The malicious package was distributed via a compromised developer account and disguised exfiltration traffic by sending base64-encoded POST requests to legitimate Injective infrastructure endpoints. Approximately 310 downloads of the malicious version occurred before detection and containment within hours. The incident poses a significant supply chain risk due to the package's high usage and many dependent packages.

Affected software

Affected versions
=1.20.21

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 08:02:38 UTC

Technical Analysis

The Injective Labs TypeScript SDK npm package version 1.20.21 was compromised through a developer account breach. The attacker injected malware that hooks wallet key generation functions to capture private keys and mnemonic phrases. This sensitive data was exfiltrated using base64-encoded POST requests sent to legitimate Injective infrastructure endpoints, masking malicious activity as normal traffic. The attacker further amplified the impact by publishing 17 additional scoped packages pinned to the malicious version. Despite rapid detection and containment within hours, the malicious package was downloaded approximately 310 times. Given the package's typical weekly download volume (~50,000) and 87 dependent packages, this represents a notable supply chain threat to cryptocurrency wallet implementations relying on this SDK.

Potential Impact

The compromise enables theft of cryptocurrency wallet private keys and mnemonic phrases, potentially leading to unauthorized access and theft of cryptocurrency assets. The supply chain nature of the attack means multiple downstream projects depending on the Injective SDK could be affected if they incorporated the malicious version. The exfiltration method disguises data theft as legitimate network traffic, complicating detection. Although the malicious version was quickly removed, the downloads that occurred pose a risk to affected users and projects.

Mitigation Recommendations

The malicious package version 1.20.21 should be considered compromised and avoided. Users and developers should verify they are not using this specific version or any packages pinned to it. Since the incident was contained within hours, upgrading to a clean, verified version of the Injective SDK is recommended. No official patch or fix is indicated, but avoiding the compromised version and its derivatives effectively mitigates the threat. Users should also review their wallet security and consider rotating keys if they used the affected version.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://socket.dev/blog/compromised-injective-sdk-npm-package"]
Adversary
null
Pulse Id
6a506b1789bdc92f8fe1d6d5
Threat Score
null

Indicators of Compromise

Url

ValueDescriptionCopy
urlhttps://testnet.archival.chain.grpc-web.injective.network

Hash

ValueDescriptionCopy
hash103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0
hash9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9

Domain

ValueDescriptionCopy
domaintestnet.archival.chain.grpc-web.injective.network

Threat ID: 6a50a39468715ace433baa8b

Added to database: 07/10/2026, 07:47:32 UTC

Last enriched: 07/10/2026, 08:02:38 UTC

Last updated: 07/10/2026, 08:02:38 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses