Developers who installed @injectivelabs/[email protected] or related @injectivelabs packages during the July 8 release window should treat any wallet private keys or seed phrases handled by that code as compromised. Security researchers found that the tainted Injective TypeScript SDK hooked normal key-derivation functions and copied secrets through fake telemetry, turning a trusted blockchain developer package into a runtime wallet stealer.[1]
The incident is a sharp software supply-chain warning because the package is not a random typosquat. @injectivelabs/sdk-ts is the official SDK used by JavaScript and TypeScript applications that build wallets, trading bots, decentralized exchange frontends, and other Injective workflows. Socket says the package has roughly 50,000 weekly downloads and that the attacker also published version 1.20.21 across 17 other @injectivelabs-scoped packages pinned to the poisoned SDK, creating transitive exposure for projects that never named sdk-ts directly.[1]
npm registry metadata reviewed by HowToFix shows @injectivelabs/[email protected] is now marked with a security deprecation warning, while 1.20.23 is the current clean release. The registry also shows one dependent package, @injectivelabs/[email protected], pinned to @injectivelabs/sdk-ts version 1.20.21, matching the transitive-risk reports from Socket, StepSecurity, and Aikido.[2]
The payload did not need a noisy install script. Researchers reported that it sat in bundled build artifacts and fired when an application called normal wallet functions such as PrivateKey.fromMnemonic() or PrivateKey.fromHex(). That means a package could install quietly and only leak secrets later, when a user or service actually generated or imported a wallet key.[3]
This pattern fits the broader pressure on developer ecosystems that HowToFix has tracked in recent TeamPCP developer-tool compromises, PolinRider package campaigns, and the Mastra easy-day-js npm incident. The practical lesson is the same: a fast cleanup by maintainers does not automatically protect applications that resolved a malicious version during the exposure window.
What developers should check now
First, search package-lock.json, pnpm-lock.yaml, yarn.lock, container build logs, CI caches, and deployed bundles for @injectivelabs packages at version 1.20.21. Do not stop at direct dependencies; the attacker used related wallet packages to pull the poisoned SDK transitively.
Second, upgrade affected @injectivelabs packages to 1.20.23 or later and rebuild from a clean dependency cache. If an application used the compromised SDK at runtime to generate, import, or sign with a mnemonic phrase or private key, assume that secret is no longer private. Move funds to newly generated wallets, rotate any exposed keys, and review transaction history for unexpected transfers.
Third, review network telemetry around the affected build window. Aikido and Socket identify a defanged exfiltration endpoint shaped to resemble Injective infrastructure: testnet[.]archival[.]chain[.]grpc-web[.]injective[.]network. Aikido also lists the malicious bundle file names dist/cjs/accounts-Cy0p4lLW.cjs and dist/esm/accounts-jQ1GSgaW.js, with published SHA-256 hashes for defenders who keep package artifact logs.[4]
The contained download count reported by Socket is small compared with the package’s normal reach, but the impact class is severe. A single mnemonic or raw private key is enough to recreate a wallet elsewhere. For teams building crypto applications, the response should be closer to a credential-theft incident than a routine dependency update.
References
- Socket, “Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics,” July 9, 2026. https://socket.dev/blog/compromised-injective-sdk-npm-package
- npm registry metadata for
@injectivelabs/sdk-tsand related@injectivelabspackages, reviewed July 10, 2026. https://www.npmjs.com/package/@injectivelabs/sdk-ts - StepSecurity, “Injective npm Supply Chain Attack: 18 Packages Backdoored to Steal Crypto Wallet Keys,” July 9, 2026. https://www.stepsecurity.io/blog/injective-npm-supply-chain-attack-18-packages-backdoored-to-steal-crypto-wallet-keys
- Aikido Security, “Compromised @injectivelabs/sdk-ts exfiltrates wallet keys through fake telemetry,” July 9, 2026. https://www.aikido.dev/blog/compromised-injectivelabs-exfiltrates-keys
- BleepingComputer, “Injective SDK on npm infected with cryptocurrency wallet stealer,” July 9, 2026. https://www.bleepingcomputer.com/news/security/injective-sdk-on-npm-infected-with-cryptocurrency-wallet-stealer/
Leave a Comment