Injective Labs GitHub Breach Leads to Malicious npm Packages

Injective Labs, a prominent player in the blockchain sector, recently experienced a significant security breach. Unauthorized individuals gained access to the company’s GitHub repository, leading to the distribution of a compromised npm package designed to extract sensitive cryptocurrency wallet information.

The affected package, identified as @injectivelabs/[email protected], was released on July 8, 2026. This version included a deceptive telemetry feature that covertly harvested private keys and mnemonic seed phrases from users’ cryptocurrency wallets. Although this malicious version has been deprecated on the npm registry, its artifacts remain accessible on GitHub.

The breach was executed through commits made by a GitHub account associated with a developer who had a history of legitimate contributions to the repository. This suggests that the attackers may have compromised the developer’s credentials to infiltrate the project.

Further complicating the situation, the attackers propagated the malicious code across 17 additional packages within the @injectivelabs scope. These packages, which depended on the compromised SDK version, include:

  • @injectivelabs/utils
  • @injectivelabs/networks
  • @injectivelabs/ts-types
  • @injectivelabs/exceptions
  • @injectivelabs/wallet-base
  • @injectivelabs/wallet-core
  • @injectivelabs/wallet-cosmos
  • @injectivelabs/wallet-private-key
  • @injectivelabs/wallet-evm
  • @injectivelabs/wallet-trezor
  • @injectivelabs/wallet-cosmostation
  • @injectivelabs/wallet-ledger
  • @injectivelabs/wallet-wallet-connect
  • @injectivelabs/wallet-magic
  • @injectivelabs/wallet-strategy
  • @injectivelabs/wallet-turnkey
  • @injectivelabs/wallet-cosmos-strategy

This strategy increased the risk of unintentional installation of the compromised code by developers who might not have directly used the primary SDK.

The malicious code was engineered to activate when the library’s functions were utilized, thereby evading detection during the installation phase. It altered standard functions responsible for generating private keys by introducing a function named trackKeyDerivation(). This function was misleadingly described as a tool for collecting anonymized usage metrics to optimize the SDK.

In reality, trackKeyDerivation() captured critical parameters, including the method used for key generation and the actual sensitive data required to create the private key. This information was then transmitted to an external server controlled by the attackers, enabling them to reconstruct users’ private keys.

To minimize the number of outbound requests and reduce the likelihood of detection, the exfiltration mechanism was designed to aggregate multiple key derivations over a two-second interval. The collected data was subsequently sent via an HTTPS POST request to a remote server.

This incident underscores the escalating threat of supply chain attacks within the software development ecosystem. It highlights the necessity for developers and organizations to implement stringent security measures, such as verifying the integrity of third-party packages and monitoring for unauthorized changes in repositories. As attackers continue to exploit trusted platforms to disseminate malicious code, the importance of proactive security practices becomes increasingly critical.