ShellCodeX
Tools • Events • News • Insights
ShellCodeX Intelligence Brief
CRITICAL Cybersecurity

Compromised Injective Labs SDK repo led to npm key-stealing package

Source headline: Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

Threat level Critical
Signal strength 85/100
Source confidence 1 source
Published 1 hour ago

Intelligence Summary

Unknown actors compromised Injective Labs' GitHub repository. They then published a malicious npm package intended to impersonate the Injective Labs SDK. The trojanized release, @injectivelabs/sdk-ts@1.20.21, was designed to steal cryptocurrency wallet private keys and mnemonic seed phrases. It included fake telemetry logic that collected and exfiltrated sensitive wallet data. Users integrating the SDK should verify package versions, review lockfiles, and rotate any exposed wallet credentials immediately.

Recommended Action

Prioritize immediate review, validate exposure, and patch or mitigate affected systems.

Topics

#credential-theft #supply-chain #npm #crypto-wallets #malicious-package
Original reporting The Hacker News Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages
Open original source