@Injectivelabs/[email protected] wallet-stealing package
Malware Activity
Summary
Hide ▲
Show ▼
The malicious @injectivelabs/[email protected] package is a wallet-stealing malware activity that can expose private keys and mnemonic seed phrases when library functions are used. The tainted release came from a compromised Injective Labs SDK GitHub repository and was published to npm on July 8, 2026. It also spread through 17 additional @injectivelabs packages that pinned the same version, expanding risk to transitive users. The package sent captured wallet derivation material to testnet.archival.chain.grpc-web.injective[.]network, making the release a direct supply-chain theft event.
Related Happenings
Injective Labs SDK project GitHub repository hit by network compromise
Incident
H score21
First: 09.07.2026 23:10
Last: 09.07.2026 23:10
Sources 1
How related:
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases.
About this happening:
The **Injective Labs SDK** project suffered a **GitHub repository compromise** that let attackers publish a malicious **@injectivelabs/sdk-ts v1.20.21** package, putting developer...
Injective Labs SDK project GitHub repository hit by network compromise
IncidentHow related: Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases.
About this happening: The **Injective Labs SDK** project suffered a **GitHub repository compromise** that let attackers publish a malicious **@injectivelabs/sdk-ts v1.20.21** package, putting developer...
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware Activity
H score3
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware ActivityAbout this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Timeline
-
10.07.2026 20:29 2 articles · 3h ago
Compromised Injective Labs SDK repository publishes @injectivelabs/[email protected]
Untyped PhaseUnknown threat actors compromised the Injective Labs SDK GitHub repository and used the trusted-publisher (OIDC) pipeline to publish @injectivelabs/[email protected] on npm with fake telemetry that exfiltrated cryptocurrency wallet private keys and mnemonic seed phrases. The same malicious version was also pinned across 17 additional @injectivelabs scoped packages, widening exposure for transitive users.
Show sources
- Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages — thehackernews.com — 10.07.2026 20:29
- Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages — thehackernews.com — 10.07.2026 20:29
-
10.07.2026 20:29 1 articles · 3h ago
Users are told to update to 1.20.23 and rotate exposed wallet keys
Initial DisclosureUsers who installed the malicious @injectivelabs/sdk-ts version were advised to update to the clean 1.20.23 release, treat any private key or mnemonic phrase processed through the package as compromised, rotate those credentials, and review transitive dependencies after the malicious npm release was deprecated.
Show sources
- Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages — thehackernews.com — 10.07.2026 20:29