Injective SDK Compromised in Supply Chain Attack to Steal Private Keys

Developer at desk with laptop showing code and a warning that Injective SDK is compromised and stealing private keys.

The Injective developer ecosystem has been hit by a serious software supply chain compromise after a malicious version of its TypeScript SDK was published to npm. Security researchers identified @injectivelabs/[email protected] as the affected release, with code designed to steal wallet private keys and mnemonic phrases.

The incident targeted the tools developers use to build crypto applications, rather than the Injective blockchain’s base network. That distinction matters because the chain can remain operational while wallets created or loaded through compromised software still face direct exposure.

Malicious Telemetry Masked Wallet-Key Theft

Socket found that the compromised SDK version added fake telemetry functionality that hooked into legitimate wallet-generation and derivation flows. Once triggered, the code could capture private keys and seed phrases before sending them to an attacker-controlled endpoint.

The attack spread beyond direct installations of @injectivelabs/sdk-ts. The malicious version was also pinned across 17 additional packages in the @injectivelabs npm scope, creating transitive exposure for developers who may not have installed the SDK directly.

The compromise appears to have involved access to a trusted Injective Labs developer or repository workflow. StepSecurity and The Hacker News described the attack as a GitHub-linked compromise that allowed the malicious package release to reach npm.

Developers Must Treat Exposed Keys as Compromised

The most urgent issue is wallet material handled by version 1.20.21. Any private key or mnemonic processed through the compromised SDK should be treated as unsafe, because seed phrases cannot be reliably “cleaned” after exposure.

Developers should move funds to new wallets generated in a clean environment, update dependencies, remove pinned references to the compromised version and audit builds that touched the affected packages. Local caches, lockfiles and CI/CD pipelines also need review because older malicious artifacts can persist after registry cleanup.

The incident reinforces a broader shift in crypto attacker behavior toward developer infrastructure. Instead of attacking only smart contracts or exchange wallets, threat actors are increasingly targeting package managers, GitHub accounts and dependency chains that sit upstream of production applications.

For Injective, the key risk is operational exposure among projects and wallets that used the compromised SDK, not a confirmed failure of the blockchain itself. The next important signals will be incident-response disclosures, package audit results, confirmed exposure counts and whether any stolen wallet material is linked to on-chain fund movements.

Related post

Best crypto platforms