Injective Labs npm SDK Hijacked to Steal Crypto Wallet Keys
What Happened
The Injective Labs SDK on npm has been infected with a cryptocurrency wallet stealer. Attackers compromised the Injective Labs GitHub repository and used that access to publish a poisoned package to the npm registry. The malicious code silently exfiltrates private keys and mnemonic seed phrases from cryptocurrency wallets present in any affected environment.
Why It Matters
This is a textbook supply chain attack — the threat is embedded in a dependency you trust, not in a file you were tricked into opening. If your project pulls any @injectivelabs packages and installed a compromised version, your wallet credentials may already be gone. Private keys and seed phrases are unrecoverable: once stolen, every wallet accessible from those credentials is permanently at risk. Developers building on the Injective Protocol — a DeFi blockchain — are primary targets, but any CI/CD pipeline or developer workstation that ran npm install with the infected package is in scope.
The damage window in supply chain attacks is tight. Poisoned packages can propagate through dozens of downstream projects before detection, and exfiltration typically happens at install time — meaning the theft may have already occurred before any public advisory was issued.
What to Do
1. Audit your dependencies immediately. Run npm ls @injectivelabs and search package.json and package-lock.json across all your repositories for Injective Labs packages. Cross-reference the specific compromised version against the BleepingComputer report for version details.
2. Rotate every exposed key now — do not wait. If the affected package was installed in any environment where wallet private keys or mnemonic seed phrases were accessible, treat those credentials as fully compromised. Move funds to a fresh wallet immediately. Do not wait to confirm exfiltration; assume it happened.
3. Audit your CI/CD pipelines. If your build system ran npm install in an environment where wallet secrets or signing keys were present, rotate those credentials. Check pipeline logs for the install date and time to bound your exposure window.
4. Update to a clean release. Monitor the Injective Labs GitHub repository and npm page for a confirmed clean version. Once published, update and re-lock your dependencies across all affected projects.
5. Review on-chain transaction history. Inspect all potentially exposed wallets for unauthorized transfers. If you find suspicious activity, notify any relevant exchanges or custodians immediately — most have accelerated response processes for theft incidents.
Synthesized by Claude · sanity-checked before publish.