Login
Sign Up
Woofun AI reports that the Injective blockchain npm package @injectivelabs/sdk-ts was maliciously modified after an attacker compromised a developer's GitHub account. The injected code is designed to steal wallet private keys and mnemonic phrases, encoding the data before transmitting it to an address disguised as a legitimate Injective network server.
The affected package recorded approximately 50,000 weekly downloads. Suspicious commits in the malicious version 1.20.21 began on June 8th, and the package is locked within 17 other packages under the Injective Labs npm scope, potentially impacting users who did not directly install this SDK.