Injective Labs SDK Supply Chain Attack Exposes Crypto Wallet Secrets Through Malicious npm Package + Video

Listen to this Post

Featured ImageIntroduction: A Trusted Development Tool Turned Into a Cryptocurrency Theft Mechanism

The software supply chain continues to be one of the most attractive targets for cybercriminals, and the latest compromise involving the Injective Labs SDK demonstrates exactly why developers should never assume that trusted repositories are immune from attack. In this incident, unknown threat actors successfully compromised the official GitHub repository of the Injective Labs SDK project and used that trusted access to distribute a malicious version of its npm package. Instead of delivering legitimate functionality, the poisoned release silently harvested cryptocurrency wallet private keys and mnemonic seed phrases, allowing attackers to potentially recreate victims’ wallets and steal their digital assets. Because the malicious code was hidden inside what appeared to be legitimate telemetry functionality, developers had little reason to suspect that their applications were leaking highly sensitive cryptographic secrets.

A Trusted GitHub Repository Became the Entry Point

Rather than attacking individual users directly, the attackers chose a far more effective strategy by compromising the software supply chain itself. They gained access to the official GitHub repository used by Injective Labs and introduced malicious commits through an account belonging to a long-time contributor with an established contribution history.

This made the malicious code appear authentic. Since the commits originated from a trusted maintainer account, automated security checks and developers reviewing updates were far less likely to question the legitimacy of the changes. The compromise demonstrates how trusted identities can become one of the weakest links in open-source development.

The Malicious npm Package Looked Completely Legitimate

The compromised release was published as @injectivelabs/sdk-ts version 1.20.21 on July 8, 2026. Although the version has since been deprecated from the npm registry, the release artifacts remained available on GitHub at the time of reporting, meaning anyone downloading historical releases could still obtain the infected package.

Instead of obvious malware, the attackers inserted code disguised as a harmless telemetry feature that claimed to collect anonymous performance statistics for SDK optimization. To developers reviewing the source code, the function appeared to perform ordinary analytics rather than credential theft.

This level of deception illustrates how attackers increasingly abuse legitimate software engineering practices to conceal malicious behavior.

Seventeen Additional Packages Also Became Infected

The compromise did not stop with a single package.

The attackers published version 1.20.21 across seventeen additional @injectivelabs packages that directly depended on the infected SDK. This significantly expanded the attack surface because many developers may have installed one of these libraries without realizing they indirectly inherited the compromised dependency.

Affected packages included:

@injectivelabs/utils

@injectivelabs/networks

@injectivelabs/ts-types

@injectivelabs/exceptions

@injectivelabs/wallet-base

@injectivelabs/wallet-core

@injectivelabs/wallet-cosmos

@injectivelabs/wallet-private-key

@injectivelabs/wallet-evm

@injectivelabs/wallet-trezor

@injectivelabs/wallet-cosmostation

@injectivelabs/wallet-ledger

@injectivelabs/wallet-wallet-connect

@injectivelabs/wallet-magic

@injectivelabs/wallet-strategy

@injectivelabs/wallet-turnkey

@injectivelabs/wallet-cosmos-strategy

This cascading dependency model highlights one of the greatest dangers of modern software development. A single compromised library can silently infect dozens or even hundreds of downstream applications.

The Malware Avoided Traditional Detection Techniques

One particularly dangerous characteristic of the malware was its stealth.

Unlike many malicious npm packages that execute immediately during installation using lifecycle scripts, this malware remained dormant until developers actually used the SDK functions.

By avoiding execution during installation, the package bypassed many automated security scanners and reduced the chances of triggering alerts.

The malicious code only activated when legitimate wallet generation functions were called, making the attack far more difficult to identify through conventional package analysis.

Fake Telemetry Function Secretly Stole Wallet Recovery Data

At the center of the attack was a function named trackKeyDerivation().

According to its description, the function supposedly gathered anonymous statistics such as whether developers preferred hexadecimal keys or mnemonic phrases, along with timing information used to improve SDK performance.

Behind the scenes, however, the function transmitted far more than anonymous metrics.

Instead of merely recording key generation methods, it secretly captured:

Private keys

Mnemonic recovery phrases

Key derivation data

Wallet generation parameters

These are the exact pieces of information required to recreate a cryptocurrency wallet.

Anyone possessing a

Seed Phrases Are the Ultimate Target

A cryptocurrency

Unlike ordinary passwords, which can often be reset, mnemonic phrases cannot simply be replaced without creating an entirely new wallet.

Once attackers obtain these recovery phrases, they can reconstruct wallets on another device and transfer every available cryptocurrency asset under their control.

Security researchers explained that the malware intercepted these phrases whenever legitimate wallet creation or recovery operations occurred.

Instead of disrupting the

The Exfiltration Process Was Carefully Designed

The attackers also optimized their exfiltration strategy to remain unnoticed.

Rather than transmitting each stolen credential individually, the malware temporarily collected multiple wallet events inside a queue for approximately two seconds.

After batching the stolen information together, it generated a single HTTPS POST request directed toward:

testnet.archival.chain.grpc-web.injective[.]network

This reduced network traffic, making suspicious outbound communications appear less frequent and therefore less likely to attract attention during security monitoring.

The “fire-and-forget” communication model also ensured that developers experienced no noticeable delays while using the SDK.

Trusted Publishing Infrastructure Was Also Abused

Researchers discovered another alarming aspect of the compromise.

The malicious package was released through the

Because the publication originated through legitimate automated infrastructure, package consumers had little reason to suspect the authenticity of the release.

Security analysts also noted that the malicious commits appeared to originate from the trusted maintainer identity thomasRalee, further strengthening the illusion that the release was legitimate.

This incident demonstrates that even trusted CI/CD pipelines become dangerous once attacker-controlled code enters the development workflow.

Supply Chain Attacks Continue to Evolve

This incident reflects a growing trend in software supply chain attacks.

Cybercriminals increasingly recognize that compromising a widely used development library offers far greater rewards than attacking thousands of individual users.

Instead of distributing malware through phishing emails or malicious downloads, attackers simply wait for developers to install trusted packages.

Every downstream application automatically becomes another potential victim.

As organizations continue relying on thousands of open-source dependencies, software supply chain security has become one of cybersecurity’s most critical challenges.

Recommended Actions for Developers

Anyone who installed @injectivelabs/sdk-ts version 1.20.21 or any affected dependent package should immediately perform a full security review.

Recommended actions include:

Upgrade immediately to the clean release 1.20.23.

Treat every private key or mnemonic phrase processed by the compromised package as fully compromised.

Rotate wallet credentials immediately.

Transfer cryptocurrency assets into newly generated wallets.

Audit all direct and transitive npm dependencies.

Review GitHub Actions and CI/CD pipelines for unauthorized package versions.

Monitor blockchain transactions for suspicious transfers.

Delaying credential rotation could allow attackers to empty affected wallets at any time.

What Undercode Say:

The Injective Labs incident is another reminder that software trust is no longer based solely on cryptographic signatures or official repositories. Attackers have shifted their focus from breaking encryption to compromising the people and processes that build software.

One compromised maintainer account can have a greater impact than dozens of zero-day vulnerabilities.

Developers often assume that official repositories guarantee safety.

This incident proves otherwise.

The fake telemetry implementation was particularly clever.

Security teams expect analytics code.

They rarely expect telemetry functions to transmit wallet recovery phrases.

The attackers exploited that expectation.

Another important lesson is dependency inheritance.

Many organizations may never have installed the primary SDK directly.

Instead, they inherited it through another package.

This dramatically increases exposure.

Organizations should maintain Software Bills of Materials (SBOMs).

Continuous dependency monitoring is becoming mandatory rather than optional.

Modern DevSecOps pipelines should verify package integrity after publication, not only before deployment.

Maintainer accounts require phishing-resistant multi-factor authentication.

Hardware security keys should protect release privileges.

Repository signing alone cannot stop insider-style compromises.

Behavioral analysis of commits becomes increasingly valuable.

Developers should question unexpected telemetry additions.

Secrets should never leave memory unless explicitly required.

Wallet generation libraries deserve extra scrutiny.

Cryptographic code should undergo independent security reviews.

Runtime network monitoring could have detected outbound beacon traffic.

Outbound HTTPS does not automatically imply legitimate communication.

Zero Trust principles apply equally to software dependencies.

Every dependency introduces risk.

Every update deserves validation.

Organizations should automate package reputation analysis.

Threat intelligence feeds should integrate directly into CI pipelines.

Historical releases should also be monitored.

Attackers increasingly weaponize trusted versions.

Dependency pinning is useful but insufficient.

Package provenance verification is equally important.

The attack also reinforces the need for rapid incident response.

Wallet credentials cannot simply be reset.

Immediate migration becomes the only safe option.

Blockchain theft is often irreversible.

Recovery is rarely possible after assets move across multiple chains.

This compromise may encourage broader adoption of reproducible builds.

Independent verification of release artifacts could reduce similar attacks.

Ultimately, software supply chain attacks are becoming one of the defining cybersecurity challenges of modern software development.

Organizations that treat dependency management as a secondary concern will continue facing increasingly sophisticated compromises.

Deep Analysis

The following commands can help security teams identify, investigate, and mitigate similar software supply chain compromises:

Identify installed Injective packages
npm list | grep injectivelabs

Determine dependency tree

npm ls @injectivelabs/sdk-ts

Check package version

npm view @injectivelabs/sdk-ts version

Audit project dependencies

npm audit

Install patched version

npm install @injectivelabs/[email protected]

Remove node_modules for clean reinstall

rm -rf node_modules package-lock.json

Reinstall dependencies

npm install

Search for suspicious telemetry functions

grep -R trackKeyDerivation .

Search for outbound HTTP requests

grep -R "https" node_modules/

Find compromised package versions

find node_modules -type f | grep injectivelabs

Verify Git status

git status

Review recent commits

git log --oneline

Inspect commit changes

git diff

Check GitHub Actions workflows

find .github/workflows -type f

Scan JavaScript files for suspicious requests

grep -R fetch( .

Scan for XMLHttpRequest usage

grep -R XMLHttpRequest .

Verify package integrity

npm doctor

Generate Software Bill of Materials

cyclonedx-npm

Monitor network connections

netstat -tunap

Capture HTTPS traffic

tcpdump -i any port 443

✅ Security researchers confirmed that the official Injective Labs GitHub repository was compromised and a malicious @injectivelabs/sdk-ts v1.20.21 package was published.

✅ The malicious package was designed to steal cryptocurrency private keys and mnemonic seed phrases by disguising its behavior as telemetry functionality, impacting both direct and transitive dependencies.

✅ Users are advised to upgrade to version 1.20.23, assume any wallet credentials processed by the compromised release are exposed, rotate those credentials immediately, and audit dependent packages.

Prediction

(-1) Negative Prediction

Software supply chain attacks targeting cryptocurrency ecosystems will continue to increase because compromising trusted development libraries offers attackers access to thousands of downstream users with a single successful breach.

Open-source maintainers will face growing pressure to adopt stronger identity verification, hardware-backed authentication, and stricter release controls to reduce the risk of repository compromise.

Security vendors will increasingly invest in behavioral analysis of package updates, automated provenance verification, and continuous dependency monitoring as organizations recognize that trusted repositories are no longer guaranteed to be trustworthy.

▶️ Related Video (80% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube