Injective Labs GitHub Hack: What Happened
Attackers breached the Injective Labs SDK project’s GitHub repository and used it to push a malicious package to the npm registry. The package, @injectivelabs/sdk-ts@1.20.21, was designed to steal cryptocurrency wallet private keys and mnemonic seed phrases.
The compromised version contained fake telemetry functionality. Instead of collecting legitimate usage data, it exfiltrated sensitive wallet information. Anyone who installed this package risked losing access to their crypto funds.
This is a classic supply chain attack. The attackers didn’t break into individual developer machines — they targeted the source code repository itself, injecting malicious code that downstream users would trust and install.
How the Malicious Package Stole Wallet Keys
The fake telemetry in @injectivelabs/sdk-ts@1.20.21 didn’t just phone home with harmless metrics. It specifically targeted cryptocurrency wallet private keys and mnemonic seed phrases — the two pieces of data that give full control over a blockchain wallet.
Once a developer or project integrated this compromised package, the malicious code would activate during runtime. It collected wallet credentials and sent them to servers controlled by the attackers. The code was disguised as routine telemetry, making it harder to spot during code reviews.
Private keys are the ultimate prize in crypto theft. With a private key, an attacker can sign transactions and move funds without any additional authentication. Seed phrases (also called recovery phrases) are equally dangerous — they can regenerate an entire wallet on any device.
Timeline and Response
Security researchers identified the malicious package shortly after it appeared on npm. The compromised version was published on an unknown date, but the Injective Labs team moved quickly once alerted.
The malicious version has been removed from the npm registry. Injective Labs also published a security advisory warning users not to use @injectivelabs/sdk-ts@1.20.21 and to immediately rotate any wallet keys that may have been exposed.
If you or your project used this specific version, the safest course is to:
- Check your
package-lock.json or yarn.lock for @injectivelabs/sdk-ts@1.20.21
- Treat any wallet that was active on a machine with this package as compromised
- Generate new wallet addresses and transfer funds immediately
- Run a full security audit of your development environment
Lessons for the Crypto Development Community
This incident is a stark reminder that trust in open-source packages has limits. The npm ecosystem, like PyPI and RubyGems, has seen repeated supply chain attacks. Crypto projects are especially attractive targets because a successful breach yields direct financial gain.
What makes this attack particularly insidious is that it targeted the crypto wallet key theft vector through a trusted SDK. Developers using Injective Labs’ tools likely had no reason to suspect the package was compromised. The attackers exploited that trust.
For teams building on blockchain infrastructure, several practices can reduce risk:
Verify Package Integrity
Always check package hashes against official sources. npm supports integrity checking via package-lock.json. If a package’s hash changes unexpectedly, that’s a red flag.
Pin Dependencies
Don’t use loose version ranges like ^1.20.0. Pin to exact versions and review updates manually. This won’t prevent all attacks, but it buys time to vet new releases.
Monitor for Anomalies
Sudden changes in package behavior — like new network requests or unexpected file system access — should trigger immediate investigation. Tools like Socket can automate this monitoring.
What Injective Labs Users Should Do Now
If you’re an Injective Labs SDK user, the immediate priority is determining whether you ever installed version 1.20.21. Even if you’ve since updated, the damage may already be done.
Check your npm audit logs and CI/CD pipeline history. If the malicious package ran in any environment that had access to wallet keys, those keys are compromised. The attackers may have already copied them.
For developers who suspect exposure, the safest move is to treat all wallets used in that environment as burned. Generate fresh wallets and transfer funds. This is inconvenient, but it’s far cheaper than losing everything to a delayed attack.
The Injective Labs team has been transparent about the breach, which is commendable. But the incident underscores a broader truth: in crypto, a single compromised dependency can empty your wallet in seconds. Vigilance isn’t optional — it’s the price of participation.