Attackers compromised a trusted maintainer's account and pushed a wallet-stealing backdoor into @injectivelabs/sdk-ts v1.20.21 on npm, exfiltrating BIP-39 seed phrases and private keys.
On July 8, 2026, attackers compromised a trusted maintainer's account and pushed a wallet-stealing backdoor into @injectivelabs/sdk-ts v1.20.21 on npm. The malware (key-derivation-telemetry.ts) hooked PrivateKey.fromMnemonic() and PrivateKey.fromHex(), exfiltrating full BIP-39 seed phrases and private keys to a disguised domain. The compromised package was downloaded 310 times before a clean version shipped approximately one hour later. The backdoor spread across 18 @injectivelabs packages. The financial impact was wallet key theft rather than a direct fund loss figure.
No on-chain laundering trail; impact was wallet key theft via supply chain compromise. No recovery figure reported at time of writing.
N/A