Injective SDK npm Compromise Exposes Wallet-Key Theft Risk
Socket, Ox Security and StepSecurity said they detected wallet-stealing code in @injectivelabs/sdk-ts npm package version 1.20.21 after an Injective Labs contributor account was compromised. Socket said the malicious release was downloaded 310 times before deprecation, while Ox Security counted 87 direct dependencies and described a six-figure cumulative download count across dependent packages.

A compromised Injective Labs developer account pushed wallet-stealing code into a widely used npm package, putting DeFi developers at risk when they generated or imported keys with the affected SDK.
Socket, Ox Security and StepSecurity said they detected the supply-chain attack in the malicious @injectivelabs/sdk-ts npm package version 1.20.21.
The researchers said the package serves developers building on the Injective blockchain and has 50,000 weekly downloads on npm.
Injective SDK npm package version 1.20.21 stole wallet keys
The affected package is the TypeScript and JavaScript SDK used to build applications on Injective, a Layer-1 blockchain focused on decentralised finance, tokenised assets and decentralised exchanges.
The researchers identified cryptocurrency wallets, trading bots, decentralised exchanges, DeFi applications and payment tools as common uses for the SDK.
The researchers said a legitimate project contributor's GitHub account was taken over before suspicious commits appeared on June 8.
They said the malicious npm release followed shortly afterwards, turning a normal software update path into a wallet-key exposure route.
Seventeen related packages pointed back to the compromised SDK
The researchers said the attacker also published version 1.20.21 for another 17 related project packages.
Those packages pinned their dependency back to the compromised SDK version, widening the risk beyond developers who installed the SDK directly.
The researchers said the legitimate account owner detected the compromise within minutes, reverted the changes and published clean release version 1.20.23.
Socket said the malicious package was downloaded 310 times before it was deprecated, not removed, and said the malicious GitHub release artifacts remained available.
Ox Security counted 87 direct dependencies
Socket said the package had 87 direct npm dependencies and likely had further transitive dependency exposure.
Ox Security said those dependent packages had a six-figure cumulative download count.
Those figures describe package-ecosystem reach, not confirmed wallet theft.
The researchers did not name affected developers, exchanges, wallet operators or payment tools, and did not say whether any cryptocurrency had already been transferred by the attackers.
Key generation triggered the malware
The malware did not activate simply when a developer installed the package.
StepSecurity said it ran when developers used SDK functions that generated or imported wallet keys, then captured full mnemonic seed phrases and private keys.
StepSecurity said the stolen data was encoded in base64 and sent through an HTTP POST request to an Injective Labs public infrastructure endpoint so the traffic would look legitimate.
StepSecurity also said the malware queued multiple keys and mnemonics briefly before sending them in the request header.
Developers who suspect exposure were advised to transfer cryptocurrency to new wallets and rotate all secrets in their environment.
Socket, Ox Security and StepSecurity did not name affected developers, confirmed stolen-fund transfers or a complete removal date for the malicious GitHub release artifacts.


















