Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics
A compromised version (1.20.21) of the Injective Labs TypeScript SDK npm package was published containing malicious code that exfiltrates cryptocurrency wallet private keys and mnemonic phrases. The malicious package was distributed via a compromised developer account and disguised exfiltration traffic by sending base64-encoded POST requests to legitimate Injective infrastructure endpoints. Approximately 310 downloads of the malicious version occurred before detection and containment within hours. The incident poses a significant supply chain risk due to the package's high usage and many dependent packages.
AI Analysis
Technical Summary
The Injective Labs TypeScript SDK npm package version 1.20.21 was compromised through a developer account breach. The attacker injected malware that hooks wallet key generation functions to capture private keys and mnemonic phrases. This sensitive data was exfiltrated using base64-encoded POST requests sent to legitimate Injective infrastructure endpoints, masking malicious activity as normal traffic. The attacker further amplified the impact by publishing 17 additional scoped packages pinned to the malicious version. Despite rapid detection and containment within hours, the malicious package was downloaded approximately 310 times. Given the package's typical weekly download volume (~50,000) and 87 dependent packages, this represents a notable supply chain threat to cryptocurrency wallet implementations relying on this SDK.
Potential Impact
The compromise enables theft of cryptocurrency wallet private keys and mnemonic phrases, potentially leading to unauthorized access and theft of cryptocurrency assets. The supply chain nature of the attack means multiple downstream projects depending on the Injective SDK could be affected if they incorporated the malicious version. The exfiltration method disguises data theft as legitimate network traffic, complicating detection. Although the malicious version was quickly removed, the downloads that occurred pose a risk to affected users and projects.
Mitigation Recommendations
The malicious package version 1.20.21 should be considered compromised and avoided. Users and developers should verify they are not using this specific version or any packages pinned to it. Since the incident was contained within hours, upgrading to a clean, verified version of the Injective SDK is recommended. No official patch or fix is indicated, but avoiding the compromised version and its derivatives effectively mitigates the threat. Users should also review their wallet security and consider rotating keys if they used the affected version.
Indicators of Compromise
- url: https://testnet.archival.chain.grpc-web.injective.network
- hash: 103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0
- hash: 9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9
- domain: testnet.archival.chain.grpc-web.injective.network
Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics
Description
A compromised version (1.20.21) of the Injective Labs TypeScript SDK npm package was published containing malicious code that exfiltrates cryptocurrency wallet private keys and mnemonic phrases. The malicious package was distributed via a compromised developer account and disguised exfiltration traffic by sending base64-encoded POST requests to legitimate Injective infrastructure endpoints. Approximately 310 downloads of the malicious version occurred before detection and containment within hours. The incident poses a significant supply chain risk due to the package's high usage and many dependent packages.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Injective Labs TypeScript SDK npm package version 1.20.21 was compromised through a developer account breach. The attacker injected malware that hooks wallet key generation functions to capture private keys and mnemonic phrases. This sensitive data was exfiltrated using base64-encoded POST requests sent to legitimate Injective infrastructure endpoints, masking malicious activity as normal traffic. The attacker further amplified the impact by publishing 17 additional scoped packages pinned to the malicious version. Despite rapid detection and containment within hours, the malicious package was downloaded approximately 310 times. Given the package's typical weekly download volume (~50,000) and 87 dependent packages, this represents a notable supply chain threat to cryptocurrency wallet implementations relying on this SDK.
Potential Impact
The compromise enables theft of cryptocurrency wallet private keys and mnemonic phrases, potentially leading to unauthorized access and theft of cryptocurrency assets. The supply chain nature of the attack means multiple downstream projects depending on the Injective SDK could be affected if they incorporated the malicious version. The exfiltration method disguises data theft as legitimate network traffic, complicating detection. Although the malicious version was quickly removed, the downloads that occurred pose a risk to affected users and projects.
Mitigation Recommendations
The malicious package version 1.20.21 should be considered compromised and avoided. Users and developers should verify they are not using this specific version or any packages pinned to it. Since the incident was contained within hours, upgrading to a clean, verified version of the Injective SDK is recommended. No official patch or fix is indicated, but avoiding the compromised version and its derivatives effectively mitigates the threat. Users should also review their wallet security and consider rotating keys if they used the affected version.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/compromised-injective-sdk-npm-package"]
- Adversary
- null
- Pulse Id
- 6a506b1789bdc92f8fe1d6d5
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://testnet.archival.chain.grpc-web.injective.network | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0 | — | |
hash9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaintestnet.archival.chain.grpc-web.injective.network | — |
Threat ID: 6a50a39468715ace433baa8b
Added to database: 07/10/2026, 07:47:32 UTC
Last enriched: 07/10/2026, 08:02:38 UTC
Last updated: 07/10/2026, 08:02:38 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.