HackMyIP
← Back to News
2026-07-10 The Hacker News

Injective Labs GitHub Hit by Supply Chain Attack Targeting Crypto Wallets

Supply ChainMalware

Unknown threat actors compromised the official GitHub repository of the Injective Labs SDK project and used that foothold to publish a malicious package on the npm registry designed to steal cryptocurrency wallet private keys and mnemonic seed phrases. The poisoned release, @injectivelabs/sdk-ts@1.20.21, was published on July 8, 2026, and has since been deprecated on npm, though the corresponding release artifacts remain available for download directly from GitHub. According to software supply chain security firm Socket, the compromise was introduced through commits submitted by a GitHub account belonging to a developer with an established history of contributions to the repository, making the malicious changes difficult to distinguish from legitimate activity during routine code review.

The embedded malware is notably simple yet effective, sidestepping lifecycle scripts so that nothing suspicious fires during package installation and the payload flies under the radar of most security scanners. Once an unsuspecting developer invokes the library's key derivation functions, a malicious trackKeyDerivation() routine is triggered under the guise of collecting anonymized usage metrics for SDK optimization. The function accepts a hard-coded marker identifying the key derivation method (hex vs. mnemonic) along with the actual sensitive material required to reconstruct the private key, transmitting both to attacker-controlled infrastructure. A misleading description claims the metrics are "fire-and-forget and never block or affect key derivation," concealing the fact that captured parameters are sufficient for the threat actor to regenerate the user's private key remotely and drain associated wallets.

The blast radius extends well beyond the core SDK. Socket reports that the threat actor also published version 1.20.21 across 17 additional @injectivelabs scoped packages that depended on and pinned the malicious SDK version, ensnaring transitive users who may never have installed the wallet library directly. Affected packages include @injectivelabs/utils, @injectivelabs/networks, @injectivelabs/wallet-base, @injectivelabs/wallet-core, @injectivelabs/wallet-cosmos, @injectivelabs/wallet-private-key, @injectivelabs/wallet-evm, @injectivelabs/wallet-ledger, @injectivelabs/wallet-wallet-connect, @injectivelabs/wallet-magic, and several wallet strategy modules. The combination of a trusted maintainer account, legitimate-looking telemetry code, and a wide transitive dependency tree makes this a textbook example of how a single compromised contributor can weaponize an entire ecosystem.

Developers and organizations that pulled any Injective Labs package in the affected window should immediately rotate any keys or seed phrases that may have been generated or imported while the malicious version was active, audit lockfiles for the pinned 1.20.21 versions, and pin to verified clean releases. As a precaution, anyone working in crypto-adjacent environments should run a email breach checker to confirm developer accounts haven't been exposed in prior leaks that could have enabled this intrusion, review their overall exposure with a privacy checkup, and verify that no stale credentials are still in use via a password checker. The incident underscores why dependency provenance, commit signing, and continuous package monitoring are no longer optional in modern JavaScript supply chains.

Source: The Hacker News →

Related Tools

Check whether this kind of story affects you — free, no signup:

My IP →IP Lookup →Privacy Checkup →

Related Guides

Learn the background behind this story:

What is my IP and why it matters →IP address security →How to stop being tracked online →