Injective npm Package Compromised, 50k Weekly Downloads at Risk
2026-07-10 11:33

Woofun AI reports that the Injective blockchain npm package @injectivelabs/sdk-ts was maliciously modified after an attacker compromised a developer's GitHub account. The injected code is designed to steal wallet private keys and mnemonic phrases, encoding the data before transmitting it to an address disguised as a legitimate Injective network server.

The affected package recorded approximately 50,000 weekly downloads. Suspicious commits in the malicious version 1.20.21 began on June 8th, and the package is locked within 17 other packages under the Injective Labs npm scope, potentially impacting users who did not directly install this SDK.

Disclaimer: Views are the author's own and do not represent the platform. Do not reproduce without permission. Content is for reference only, not investment advice. Trade at your own risk.
Tags:
Injective
@injectivelabs/sdk-ts
Injective Labs
Share:
back