Unknown threat actors compromised the GitHub repository for Injective Labs’ SDK project and used the access to push a malicious package to the npm registry. The package was designed to steal cryptocurrency wallet private keys and mnemonic seed phrases from developers and applications that depended on it.

The compromised release, identified as @injectivelabs/[email protected], contained disguised telemetry code. Rather than performing legitimate diagnostic or analytics functions, this code was built to quietly exfiltrate sensitive wallet data from any environment where the package was installed.

Because the SDK is used by developers building on the Injective blockchain, the supply chain compromise had the potential to affect any downstream application, wallet integration, or automated build pipeline that pulled in the tainted version without verification.

Why This Matters

Supply chain attacks against npm packages remain one of the most effective ways for threat actors to reach a broad set of victims through a single point of compromise. By targeting a widely used SDK tied to blockchain development, attackers can potentially harvest private keys that grant direct access to cryptocurrency funds, a payoff far more immediate than typical credential theft.

The use of fake telemetry functionality as a disguise is notable. Legitimate telemetry and analytics hooks are common in modern SDKs, making it easier for malicious exfiltration code to blend in during a cursory review.

Recommendations

  • Audit any project dependencies for the affected version, @injectivelabs/[email protected], and remove or downgrade immediately if found.
  • Rotate any private keys or seed phrases that may have been present in environments where the compromised package was installed.
  • Review GitHub repository access logs and enforce strong authentication and branch protection on package source repositories.
  • Pin dependency versions and verify package integrity (checksums, signatures) before deployment in CI/CD pipelines.

Organizations using the Injective Labs SDK should treat this as an active incident until the scope of the compromise and the full list of affected versions is confirmed.