Injective npm package maliciously altered, hackers attempt to steal wallet private keys and seed phrases
2026-07-10 03:22
Odaily reported, according to Socket monitoring, the Injective blockchain npm package @injectivelabs/sdk-ts has been maliciously altered. The attacker implanted malicious code to steal wallet private keys and seed phrases by compromising a developer's GitHub account, and sent the stolen encoded data to an address disguised as a legitimate Injective network server. This package has approximately 50,000 weekly downloads. Malicious version 1.20.21 had suspicious commits starting from June 8, and the vulnerability was locked within 17 other packages under the Injective Labs npm namespace. Users who did not directly install this SDK may also be affected.
