Alanna
River

Injective SDK npm Compromise: Supply-Chain Attack Steals Wallet Keys

Alanna River

Jul 14, 2026

3 min read

Injective SDK npm compromise

The "What Happened"

  • BleepingComputer reported that hackers compromised the Injective Labs SDK project’s GitHub repository and used it to publish a malicious npm package.
  • The supply-chain attack affected version 1.20.21 of the @injectivelabs/sdk-ts npm package.
  • Security firms Socket, Ox Security, and StepSecurity detected the malicious package activity.
  • Injective SDK is used by developers building cryptocurrency wallets, trading bots, decentralized exchanges, DeFi applications, and payment tools.
  • The package has roughly 50,000 weekly npm downloads, and the attacker also published version 1.20.21 for another 17 project-associated packages pinned to the compromised SDK version.
  • The malicious code activated when SDK functions for generating or importing wallet keys were used.
  • The malware captured mnemonic seed phrases and private keys, encoded the data in base64, and exfiltrated it through an HTTP POST request to an Injective Labs public infrastructure endpoint to make traffic appear legitimate.
  • The legitimate account owner reportedly detected the compromise within minutes, reverted the changes, and published a clean release, version 1.20.23.

A compromised release of the Injective Labs TypeScript SDK on npm demonstrates how quickly a trusted software dependency can become a software supply-chain attack. A single malicious package update briefly exposed developers who generated or imported cryptocurrency wallets, highlighting how compromised dependencies can place sensitive credentials, secrets, and development environments at risk before organizations have time to respond.

Technical Analysis

According to public reporting, the attack began after a legitimate project contributor’s GitHub account was compromised. Using that trusted access, the attacker published version 1.20.21 of @injectivelabs/sdk-ts and propagated the compromised dependency across multiple related npm packages that referenced the same SDK version.

Unlike many supply-chain attacks that execute malicious code during package installation, the injected payload remained dormant until developers invoked wallet creation or wallet import functions within the SDK. This conditional execution reduced unnecessary exposure while targeting the operations most likely to handle sensitive cryptographic material.

Once activated, the malicious code:

  • Captured mnemonic seed phrases and private keys during wallet generation or import.
  • Base64-encoded the stolen data before transmission.
  • Buffered multiple captured secrets before exfiltration.
  • Sent the data through an HTTP POST request to an endpoint hosted on Injective Labs’ public infrastructure, helping the outbound traffic appear legitimate and making detection more difficult through simple domain-based monitoring.

By abusing a trusted software dependency and legitimate project infrastructure, the attacker reduced the likelihood of immediate detection while targeting one of the most sensitive assets in cryptocurrency development: wallet recovery material. Although this campaign focused on cryptocurrency credentials, the underlying technique illustrates how compromised developer dependencies can just as easily be adapted to steal API keys, cloud credentials, repository tokens, signing certificates, or other secrets handled during software development and CI/CD workflows.

How Hexnode Helps Reduce the Risk

Organizations can reduce the impact of software supply-chain incidents by combining endpoint management, device compliance, and endpoint threat detection. Hexnode UEM helps security teams maintain secure developer endpoints by enforcing compliance policies, maintaining software inventory, restricting unapproved applications, and enabling remote remediation of noncompliant devices.

Hexnode XDR and endpoint security capabilities provide visibility into endpoint activity that may indicate a compromised development environment. Security teams can investigate behaviors such as:

  • Suspicious process execution associated with unauthorized applications or scripts.
  • Potential credential access activity that warrants investigation.
  • Unexpected outbound network connections that could indicate data exfiltration.
  • Indicators of post-compromise activity on managed endpoints.

If malicious activity is detected, security teams can respond quickly using One-Click Remediation, including Network Isolation to contain an affected endpoint and Process Kill to terminate suspicious processes while the incident is investigated.

Organizations can further reduce risk by enforcing device compliance and conditional access policies so that only trusted, managed devices can access source code repositories, cloud resources, and CI/CD environments. This approach helps limit the blast radius of a compromised developer endpoint and strengthens overall software supply-chain security.

introduction to hexnode
Featured Resource

Introduction to Hexnode

Download to discover how Hexnode can transform your endpoint management strategy.

Get the Intro Sheet

Conclusion

The Injective SDK incident reinforces that software package ecosystems are part of the enterprise attack surface. Even short-lived compromises of trusted dependencies can expose sensitive credentials and undermine developer workflows before traditional security controls detect malicious activity.

Organizations should strengthen their software supply-chain defenses by combining dependency monitoring, rapid secret rotation, endpoint visibility, CI/CD hardening, and policy-driven endpoint management. Together, these controls help reduce the impact of compromised dependencies, limit the blast radius of developer endpoint compromises, and improve resilience against future supply-chain attacks.

Share

Alanna River

I’m a technical content writer at Hexnode who loves simplifying tech. I break down complex ideas, remove the fluff, and help readers clearly understand our product for what it actually is: simple, reliable, and built to solve real problems.