Injective Labs’ npm SDK Poisoned to Steal Crypto Wallet Credentials

Attackers compromised Injective Labs' repository and injected credential-stealing code into the authentic npm SDK packages used by DeFi blockchain developers.
Table of Contents
    Add a header to begin generating the table of contents

    Attackers compromised Injective Labs’ official source code repository and injected credential-stealing code into the company’s npm SDK packages — targeting a legitimate developer toolkit used by blockchain and DeFi application builders on the Injective Protocol and turning it into a tool for exfiltrating cryptocurrency wallet seed phrases and private credentials directly from developer environments.

    Why Repository-Level Compromise Defeats Standard Developer Verification

    The attack against Injective Labs is a repository-level compromise rather than a lookalike or typosquatting operation. Developers who verify they are installing the authentic Injective SDK — checking the package name, publisher identity, and download source against the official project — would receive the compromised package, because the malicious code was injected into the genuine repository rather than hosted on a fake duplicate.

    This distinction matters for how developers defend against supply chain attacks. The standard advice to verify package publisher identity, check download counts, and confirm package provenance from the official source provides no protection when the official source itself has been compromised. Developers installing the Injective SDK during the compromise window followed correct security practice and were still exposed.

    Wallet Seed Phrases and Private Keys as the Injection’s Primary Target

    The code injected into the Injective npm packages did not target generic developer credentials or application authentication tokens. It specifically targeted cryptocurrency wallet seed phrases — BIP-39 mnemonic recovery phrases that provide complete, irrevocable access to every address a wallet controls — and related private keys and credentials present in the developer’s environment.

    Seed phrase theft is a terminal event for the affected wallet. There is no revocation mechanism for a BIP-39 seed phrase. An attacker who possesses the seed phrase can derive every private key the wallet ever generated, access every address those keys control, and transfer all funds immediately. No subsequent security change — password rotation, hardware wallet migration, or enabling additional authentication on an exchange account — can undo the exposure if funds remain in wallets whose seed phrases were stolen.

    The High-Value Credential Environment of DeFi Developers

    The Injective npm SDK’s user base amplifies the attack’s potential damage. Developers building applications on the Injective Protocol — a DeFi-focused Layer 1 blockchain — typically maintain live wallet credentials and API keys in their development environments to test integrations against the production network. Unlike developers building against a mock API or an isolated test environment, DeFi developers frequently work with real production wallets because the on-chain state they need to test against is a live blockchain network.

    That operational reality means the compromised SDK had access to real, high-value cryptocurrency credentials — not test accounts with nominal balances — in the environments of developers who installed or updated the package during the compromise window.

    The Supply Chain Risk for Blockchain Developers

    Injective Protocol is a DeFi-focused blockchain handling substantial transaction volume. Developers building on it include teams creating decentralized exchanges, lending protocols, and other financial applications that interact with real user funds. A developer whose seed phrase was captured during the compromise window may not only lose personal holdings in affected wallets but may also have exposed operational wallets or multisignature keys used in the protocols they build.

    The incident is distinct from fake Paysafe and Skrill SDK campaigns that circulated previously — those attacks involved lookalike packages designed to deceive developers into installing fraudulent alternatives. The Injective attack targeted developers who installed the correct package from the correct source. Supply chain security controls that focus on package identity verification cannot address a breach at the legitimate source repository.

    Immediate Actions for Developers Who Installed the Compromised SDK

    Developers who installed or updated the Injective npm SDK packages during the compromise window should treat all wallet seed phrases, private keys, and credentials present in their development environments as fully compromised. That means: immediately transferring all funds from affected wallets to freshly generated wallets created using secure, uncompromised software; rotating all API keys and access credentials that were present in the development environment during the exposure window; and auditing any production systems that may have inherited credentials from the compromised development environment.

    Injective Labs’ response, the specific packages and versions affected, and the exact compromise window are available in the project’s official disclosure materials, which provide the authoritative guide for determining whether specific package installations fall within the exposure period.

    Related Posts