Injective SDK Supply Chain Attack: Crypto Wallet Keys Stolen Via Malicious npm Package
A sophisticated supply chain attack has targeted developers building on the **Injective** blockchain, leading to the compromise of the **Injective Labs SDK** project's **GitHub** repository. Malicious versions of the **@injectivelabs/sdk-ts** npm package were published, designed to steal cryptocurrency wallet private keys and mnemonic seed phrases from unsuspecting developers.
Hackers successfully infiltrated the **Injective Labs SDK** project's **GitHub** repository, leveraging their access to distribute a malicious package via the **Node Package Manager (npm)**. This deceptive package was engineered to exfiltrate sensitive cryptocurrency wallet private keys and mnemonic seed phrases.
The attack was swiftly identified by application security firms **Socket**, **Ox Security**, and **StepSecurity**, who pinpointed version 1.20.21 of the **@injectivelabs/sdk-ts** npm package as the culprit.
**Injective SDK** is a vital **TypeScript/JavaScript** software development kit used for building applications on the **Injective** blockchain, a Layer-1 blockchain specializing in decentralized finance (**DeFi**), tokenized assets, and decentralized exchanges.

With approximately 50,000 weekly downloads on **npm**, the package is widely adopted by developers creating cryptocurrency wallets, trading bots, decentralized exchanges, **DeFi** applications, and payment tools.
Researchers revealed that the attacker compromised a **GitHub** account belonging to a legitimate project contributor. The first suspicious commits appeared on June 8, with the malicious package version published shortly thereafter. The attacker also released version 1.20.21 for an additional 17 associated packages, all of which were pinned to the compromised SDK version.
The legitimate account owner detected the breach within minutes, promptly reverting the malicious changes and releasing a clean version, 1.20.23. However, any developer systems that fetched or used the malicious packages through an update were likely compromised.
**Socket** reported that the malicious version was downloaded 310 times before its deprecation. Notably, the package was deprecated rather than removed, and the malicious **GitHub** release artifacts remain accessible.
The researchers also highlighted the extensive reach of the compromise, noting that the package has 87 direct dependencies on **npm**, with potentially many more transitive dependencies. A report from **Ox Security** underscored this impact, stating that these 87 dependent packages have a cumulative download count exceeding 112,000.
### Targeting Cryptocurrency Wallets
The malware's activation is insidious, triggering not upon installation but when developers utilize SDK functions designed to generate or import wallet keys. Once these functions are invoked, the malware captures the complete mnemonic seed phrase and private key, encoding the data in base64.
To evade detection, all exfiltrated information is sent via an **HTTP POST** request to a legitimate **Injective Labs** public infrastructure endpoint, making the traffic appear innocuous. **StepSecurity** further detailed that the malware did not immediately transmit stolen secrets. Instead, it queued multiple keys and mnemonics for two seconds, bundling them into the **HTTP** request header before transmission.
Attackers can then use the stolen mnemonics or private keys to port victims' wallets to their own devices, granting them full access to, and control over, digital assets.
Developers who suspect their systems may have been compromised are strongly advised to transfer their cryptocurrency to new, secure wallets and to rotate all secrets within their development environments immediately.