Injective npm Package Hit by Malicious Tampering, Hackers Attempt to Steal Wallet Private Keys and Seed Phrases
2026-07-10 03:22
Odaily Planet Daily News: According to Socket monitoring, the Injective blockchain npm package @injectivelabs/sdk-ts has been maliciously tampered with. Attackers compromised the developer's GitHub account to inject malicious code designed to steal wallet private keys and seed phrases, which were then encoded and sent to an address masquerading as a legitimate Injective network server. This package has approximately 50,000 weekly downloads, with the malicious version 1.20.21 showing suspicious commits starting June 8th. The malicious code was also locked across 17 other packages within the Injective Labs npm scope, potentially affecting users who did not directly install the SDK.
