Injective SDK npm package used to steal wallet keys
🔒 Security researchers discovered that the @injectivelabs/sdk-ts npm package (v1.20.21) was published with malicious code to capture cryptocurrency wallet private keys and mnemonic seed phrases. The compromise stemmed from a hijacked GitHub contributor account with suspicious commits appearing on June 8; the legitimate owner quickly reverted changes and released a clean 1.20.23. The malware activated when wallet-generation or import functions were called and exfiltrated secrets via HTTP POST to a public Injective Labs endpoint, and the tainted package had hundreds of dependent packages and thousands of downloads.
