Unknown threat actors compromised the Injective Labs SDK project’s GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases.
The compromised version, @injectivelabs/sdk-ts@1.20.21, came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was released on July 8, 2026, but has since been deprecated on the registry. That said, the release artifacts belonging to the compromised version are still available for download from GitHub as of writing.
“The malicious functionality was introduced to the project’s official GitHub repository through commits submitted by a GitHub account belonging to a developer with an established history of contributions to the repository,” Socket said.
Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages
Submitted 3 hours ago by tonytins@pawb.social to cybersecurity@infosec.pub
https://thehackernews.com/2026/07/injective-labs-github-compromise-pushes.html