Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics
Essential information
- Published
- 10/07/2026 05:46
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- blockchain cryptocurrency theft developer account compromise infostealer npm compromise supply chain attack typescript sdk wallet credential exfiltration
- Related entities
- 4 indicators, 2 observables, 13 techniques (mitre)
Description
A compromised version of the Injective Labs TypeScript SDK npm package was published containing malicious code that exfiltrates cryptocurrency wallet private keys and mnemonic phrases. The malicious version 1.20.21 was published on June 8, 2026, through a compromised developer account with established repository access. The malware hooks key generation functions to capture sensitive wallet data and exfiltrates it via base64-encoded POST requests to legitimate Injective infrastructure endpoints, disguising the traffic. The threat actor amplified impact by publishing 17 additional scoped packages pinned to the malicious version. Though quickly detected and contained within hours, the compromised package received approximately 310 downloads. The package has roughly 50,000 weekly downloads and 87 dependent packages, presenting significant supply chain risk to cryptocurrency wallet implementations.