A supply chain attack targeted Injective Labs’ TypeScript software development kit after attackers hijacked a trusted contributor’s GitHub account to push malicious code.
The compromised release, version 1.20.21 of the sdk-ts package, was designed to quietly capture wallet private keys and mnemonic seed phrases from any application using it.
Security firms Socket, Ox Security, and StepSecurity flagged the malicious package almost immediately, tracing the intrusion back to a hijacked maintainer account.
The malicious code disguised itself as telemetry functionality, intercepting wallet creation functions before sending stolen key data to an obfuscated endpoint.
That endpoint was hosted on infrastructure designed to resemble Injective’s own systems, making the exfiltration harder to spot during a quick review.
The package carries roughly fifty thousand weekly downloads and eighty seven dependent packages, giving the attack a wide potential blast radius across the ecosystem.
Attackers also pinned the same malicious version number across seventeen additional Injective scoped packages, attempting to widen the campaign’s reach further.
The tainted release stayed live for under an hour before the legitimate account owner detected the unauthorized activity and moved to contain it.
A revert commit followed quickly, and a clean version, 1.20.23, was published shortly after to replace the compromised code entirely.
Despite the short window, the malicious version was downloaded more than three hundred times before npm marked it as deprecated.
Injective chief executive Eric Chen confirmed that no funds on the network itself were ever at risk during the incident.
He noted there have been no confirmed reports of actual asset theft linked directly to the compromised package so far.
The attack didn’t touch Injective’s blockchain or smart contract layer, instead targeting the developer tooling used to build wallets and trading applications.
Security researchers say supply chain attacks like this one have been rising sharply, with wallet compromises costing the industry hundreds of millions this year alone.
Developers who used the affected SDK version are being urged to treat any wallet credentials generated during that window as fully compromised and replace them.











