Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages
Unknown threat actors compromised the Injective Labs SDK GitHub repository and published a malicious npm package, @injectivelabs/[email protected], to steal cryptocurrency wallet private keys and mnemonic seed phrases. The attack also spread to 17 related @injectivelabs packages, so users should treat any exposed keys as compromised and rotate them immediately. #InjectiveLabs #@injectivelabs/sdk-ts #thomasRalee

Keypoints

  • The Injective Labs SDK GitHub repository was compromised by unknown threat actors.
  • Malicious version @injectivelabs/[email protected] was published to npm.
  • The package used fake telemetry to exfiltrate private keys and mnemonic phrases.
  • The attack was also pushed to 17 related @injectivelabs scoped packages.
  • Users are advised to upgrade to 1.20.23 and rotate any exposed wallet credentials.

Read More: https://thehackernews.com/2026/07/injective-labs-github-compromise-pushes.html