Injective npm SDK Backdoor Hack 2026 — $0 Exploit Analysis

Attackers compromised a trusted maintainer's account and pushed a wallet-stealing backdoor into @injectivelabs/sdk-ts v1.20.21 on npm, exfiltrating BIP-39 seed phrases and private keys.

Details

Full Description

On July 8, 2026, attackers compromised a trusted maintainer's account and pushed a wallet-stealing backdoor into @injectivelabs/sdk-ts v1.20.21 on npm. The malware (key-derivation-telemetry.ts) hooked PrivateKey.fromMnemonic() and PrivateKey.fromHex(), exfiltrating full BIP-39 seed phrases and private keys to a disguised domain. The compromised package was downloaded 310 times before a clean version shipped approximately one hour later. The backdoor spread across 18 @injectivelabs packages. The financial impact was wallet key theft rather than a direct fund loss figure.

Laundering Analysis

No on-chain laundering trail; impact was wallet key theft via supply chain compromise. No recovery figure reported at time of writing.

Sources

Transaction Hashes

Back to Browse