Software supply chain attacks have become more common as attackers target trusted developer tools rather than end users.
In the latest incident, attackers compromised a trusted Injective Labs software package to steal developers’ wallet credentials.


How did the Injective SDK attack develop?
The attacker uploaded a malicious version of the TypeScript SDK (@injectivelabs/sdk-ts v1.20.21) to npm. The package is designed for building Injective applications, creating wallets and signing transactions.
the attacker then gained accessto a legitimate Injective Labs contributor’s GitHub account and distributed malicious commits. One testing branch was called “test-backdoor checking”.
The attacker published the compromised package to npm under the guise of telemetry.
Instead of collecting usage data, the malware extracted private keys and mnemonic seed words. This gave the attackers everything they needed to recreate and take over the victims’ crypto wallets.
On top of that, the compromise is propagated via transitive dependencies in 17 additional Injective packages based on the SDK.
Gap leading to violations
The malicious code remained passive during installation, which helped it evade detection.
Instead, it is only executed when developers use the fromMnemonic or fromHex wallet creation functions.
The compromised package was downloaded approximately 50,000 times each week. At least 87 other packages were directly tied to it.
The attacker also expanded the reach of the attack by releasing 17 additional Injective packages fixed to the compromised SDK version.


What’s more?
A clean version, v1.20.23, was made available shortly after. However, the compromised version was still available on npm as a deprecated package, and release artifacts were still available on GitHub.
Therefore, to avoid further such incidents, users need to return all affected credentials, create new wallets and move their funds.
This came across BonkDAO loses $20 million Due to a “malicious administration proposal” that has made them the latest victim of a crypto hack.
Ffinal summary
- The criminal gained access to the GitHub account of a legitimate Injective Labs contributor and used it to distribute malicious commits.
- Developers were made vulnerable to the attack due to transitive dependencies in 17 additional injection packages.





