Find notable cyber news and cases, enriched with sources, timelines, and signals.

@Injectivelabs/[email protected] wallet-stealing package

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The malicious @injectivelabs/[email protected] package is a wallet-stealing malware activity that can expose private keys and mnemonic seed phrases when library functions are used. The tainted release came from a compromised Injective Labs SDK GitHub repository and was published to npm on July 8, 2026. It also spread through 17 additional @injectivelabs packages that pinned the same version, expanding risk to transitive users. The package sent captured wallet derivation material to testnet.archival.chain.grpc-web.injective[.]network, making the release a direct supply-chain theft event.

Related Happenings

Injective Labs SDK project GitHub repository hit by network compromise

Incident
H score21 First: 09.07.2026 23:10 Last: 09.07.2026 23:10 Sources 1

How related: Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases.

About this happening: The **Injective Labs SDK** project suffered a **GitHub repository compromise** that let attackers publish a malicious **@injectivelabs/sdk-ts v1.20.21** package, putting developer...

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

Timeline

  1. 10.07.2026 20:29 2 articles · 3h ago

    Compromised Injective Labs SDK repository publishes @injectivelabs/[email protected]

    Untyped Phase

    Unknown threat actors compromised the Injective Labs SDK GitHub repository and used the trusted-publisher (OIDC) pipeline to publish @injectivelabs/[email protected] on npm with fake telemetry that exfiltrated cryptocurrency wallet private keys and mnemonic seed phrases. The same malicious version was also pinned across 17 additional @injectivelabs scoped packages, widening exposure for transitive users.

    Show sources
  2. 10.07.2026 20:29 1 articles · 3h ago

    Users are told to update to 1.20.23 and rotate exposed wallet keys

    Initial Disclosure

    Users who installed the malicious @injectivelabs/sdk-ts version were advised to update to the clean 1.20.23 release, treat any private key or mnemonic phrase processed through the package as compromised, rotate those credentials, and review transitive dependencies after the malicious npm release was deprecated.

    Show sources