PROBABLYPWNED
MalwareJuly 13, 20263 min read

Injective Labs npm Packages Backdoored to Steal Crypto Wallets

Hackers compromised Injective Labs' GitHub repo to push malicious npm packages that steal cryptocurrency wallet keys. 18 packages affected, detected within an hour.

James Rivera

Hackers compromised the Injective Labs GitHub repository and pushed malicious code to 18 npm packages designed to steal cryptocurrency wallet private keys and mnemonic seed phrases. Security firms Socket, Ox Security, and StepSecurity detected the attack within an hour of publication, but not before the poisoned packages were downloaded over 300 times.

The primary target was @injectivelabs/[email protected], a TypeScript SDK with 50,000 weekly downloads used for building applications on the Injective blockchain. The attack is the latest in a wave of supply chain compromises targeting developer tools this month.

How the Attack Worked

The malicious code was disguised as telemetry functionality called trackKeyDerivation(), claiming to collect anonymized usage metrics for SDK optimization. In reality, when developers called functions to generate or import wallet keys, the malware captured the full mnemonic seed phrase and private key.

The payload encoded stolen data in base64 and exfiltrated it via HTTPS POST requests to testnet.archival.chain.grpc-web.injective[.]network—a legitimate-looking Injective infrastructure endpoint chosen to blend with normal traffic.

Attackers gained access through a compromised GitHub maintainer account belonging to "thomasRalee." The commits bypassed the project's normal release flow entirely, pushing directly to npm through the repository's trusted-publisher OIDC pipeline.

18 Packages in the Blast Radius

Beyond the primary SDK, attackers backdoored 17 additional packages in the @injectivelabs scope that depended on the SDK:

  • @injectivelabs/utils
  • @injectivelabs/networks
  • @injectivelabs/wallet-base, wallet-core, wallet-evm
  • @injectivelabs/wallet-ledger, wallet-magic, wallet-trezor
  • @injectivelabs/wallet-cosmostation, wallet-wallet-connect
  • Multiple other wallet ecosystem packages

Each package pinned the malicious SDK version, putting transitive users at risk even if they never directly installed the compromised SDK.

Why This Matters

Injective SDK powers cryptocurrency wallets, trading bots, decentralized exchanges, and DeFi payment tools. Unlike most infostealers that activate on installation, this malware waited until developers actually used key generation functions—a clever evasion technique that delays detection while ensuring high-value credential theft.

The attack also exploited GitHub's OIDC trusted-publisher workflow, which many organizations assume is more secure than traditional API token authentication. When a legitimate maintainer account is compromised, these protections mean nothing.

Despite the 300+ downloads of poisoned packages, Injective CEO Eric Chen confirmed no funds were lost. The malicious release was deprecated within an hour, though GitHub release artifacts remained available at the time of reporting.

Immediate Actions

  1. Check lockfiles for @injectivelabs/[email protected] or any version between 1.20.21 and 1.20.22
  2. Assume compromise if affected packages were installed—treat all private keys and seed phrases as exposed
  3. Rotate credentials immediately by generating new wallet addresses and transferring assets
  4. Update to version 1.20.23 which contains verified clean code
  5. Audit npm install logs for unexpected outbound connections to Injective domains

The incident highlights why organizations building on blockchain infrastructure should pin specific dependency versions and monitor for unexpected package updates. When AI coding tools are themselves becoming targets, supply chain verification deserves more scrutiny than ever.

Frequently Asked Questions

Were any cryptocurrency funds actually stolen? No confirmed thefts have been reported. The malicious packages were live for less than an hour before detection, and Injective's response was fast enough to prevent widespread exploitation.

How can I tell if my wallet was compromised? If you installed affected packages between July 8-9, 2026, and called key generation functions, your credentials may have been exfiltrated. Generate new wallet addresses as a precaution—don't wait for confirmation of theft.

Related Articles