Hackers target Injective developers with malicious SDK
A compromised maintainer account let attackers push malicious code to 18 packages for roughly 17 minutes before security researchers caught it
A supply chain attack briefly compromised Injective Labs’ TypeScript SDK after attackers published a malicious npm release that harvested crypto wallet credentials, prompting warnings for developers to replace potentially exposed keys, according to cybersecurity firm Socket.
🚨 Socket detected a software supply chain compromise in @​injectivelabs/sdk-ts, a popular npm package with ~50,000 weekly downloads and 87 npm dependents.
The malicious release hooks wallet key-derivation functions, records private keys and mnemonics, and exfiltrates them… pic.twitter.com/L7t2h9kSdD
— Socket (@SocketSecurity) July 9, 2026
Socket said the compromised version 1.20.21 of Injective Labs’ TypeScript SDK injected malicious code into wallet creation functions, collecting mnemonic phrases and private key material before sending the information to an obfuscated endpoint hosted on Injective’s public infrastructure.
The malicious release was traced to commits made through the GitHub account of an existing contributor and was reversed within minutes after the account owner detected unauthorized activity. Although a clean version was subsequently released, the compromised package remained on npm as a deprecated download.
Researchers said the attackers attempted to amplify the campaign by publishing the same version number across 17 additional Injective packages that directly or indirectly depended on the compromised SDK.
The affected SDK has about 50,000 weekly downloads and 87 dependent packages, highlighting the potential reach of the incident despite its short duration.
Socket recommended upgrading to version 1.20.23, reviewing dependency chains, and treating any wallet credentials processed by the compromised releases as fully compromised.