Skip to content
supplychainattack.orgSupply chain attack incident catalog
containedcritical

Injective SDK on npm infected with cryptocurrency wallet stealer

Hackers compromised the Injective Labs SDK GitHub repository and published a malicious npm package that stole cryptocurrency wallet private keys and mnemonic seed phrases from users who installed it.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Unknown number of npm users who installed the malicious Injective SDK package; potential impact on cryptocurrency holdings of affected users.
Ecosystems
Attack vectors
Affected entities
  • Injective SDKMalicious package published on npm

The Injective Labs SDK project on GitHub was compromised by attackers who gained unauthorized access to the repository. Using this access, the attackers published a malicious version of the Injective SDK package to the Node Package Manager (npm) registry.\n\nThe malicious package contained code designed to steal sensitive cryptocurrency wallet information, specifically private keys and mnemonic seed phrases, from users who installed or ran the compromised package. This type of attack directly threatens the security of cryptocurrency holdings for any developer or user who executed the malicious code.\n\nThe incident represents a supply chain attack targeting the npm ecosystem, where a legitimate project's distribution channel was weaponized to deliver wallet-stealing malware to downstream users.

Remediation

  • Immediately remove or uninstall the malicious Injective SDK package from all systems
  • Audit npm package installation history to identify when the malicious version was installed
  • If the malicious package was executed, treat all associated cryptocurrency wallets as compromised and transfer funds to new wallets with fresh keys
  • Review GitHub repository access logs and revoke compromised credentials
  • Enable multi-factor authentication on GitHub and npm accounts
  • Monitor affected cryptocurrency wallets for unauthorized transactions
  • Check npm audit logs and consider using npm package integrity verification tools

Sources

  1. Injective SDK on npm infected with cryptocurrency wallet stealer · BleepingComputer

Cite this entry

"Injective SDK on npm infected with cryptocurrency wallet stealer." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 9, 2026; last updated July 9, 2026. https://supplychainattack.org/incident/injective-sdk-on-npm-infected-with-cryptocurrency-wallet-stealer-y0s9hj

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. activecritical

    Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp

    A self-replicating worm named Miasma is spreading across the npm registry by injecting malicious code into binding.gyp files, which execute during npm install without requiring package.json script modifications. The attack has already compromised dozens of packages across multiple maintainer accounts and evades conventional security detection.

    MiasmanpmCompromised packageMalicious commit
  2. activehigh

    Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware

    A supply chain campaign dubbed "Mini Shai Hulud" targeted SAP npm packages with malicious versions containing credential-stealing malware. The campaign follows patterns similar to previous Shai-Hulud attacks.

    Mini Shai HuludShai-HuludnpmCompromised packageMalicious commit
  3. activehigh

    New ChocoPoC malware targets researchers via trojanized PoC exploits

    Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering ChocoPoC, a Python-based remote access trojan (RAT) capable of executing commands and stealing sensitive data. The campaign is believed to target cybersecurity researchers.

    OtherMalicious commitCompromised package
  4. containedcritical

    Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack

    On March 19, 2026, threat actors attributed to "TeamPCP" injected credential-stealing malware into Aqua Security's Trivy scanner and related GitHub Actions. The compromise affected the supply chain of a widely-used container security tool, potentially exposing credentials and secrets in CI/CD environments.

    TeamPCPContainer registryOtherCompromised packageMalicious commit