importantSYS.SOURCE: The Hacker News• 2026-07-10T21:59:00+05:30
Injective Labs GitHub Compromise Leads to Malicious npm Packages Stealing Cryptocurrency Wallet Keys
#Software Supply Chain#Cryptocurrency Security#npm Malware#Open Source Security#Credential Theft
Threat actors compromised Injective Labs' GitHub repository to distribute a malicious npm package, @injectivelabs/[email protected], which exfiltrates cryptocurrency wallet private keys and mnemonics. The attack affected multiple dependent packages, urging users to update and rotate compromised credentials.
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases.
The compromised version, @injectivelabs/[email protected], came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was
*** END OF TRANSMISSION ***